Unresolved directive in README.adoc - include::/github/workspace/../../libbeat/docs/version.asciidoc[]

Unresolved directive in README.adoc - include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]

Unresolved directive in README.adoc - include::{asciidoc-dir}/../../shared/attributes.asciidoc[]

Unresolved directive in README.adoc - include::/github/workspace/../../libbeat/docs/shared-beats-attributes.asciidoc[]

Filebeat overview

Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.

Here’s how Filebeat works: When you start Filebeat, it starts one or more inputs that look in the locations you’ve specified for log data. For each log that Filebeat locates, Filebeat starts a harvester. Each harvester reads a single log for new content and sends the new log data to libbeat, which aggregates the events and sends the aggregated data to the output that you’ve configured for Filebeat.

For more information about inputs and harvesters, see How Filebeat works.

Unresolved directive in overview.asciidoc - include::/github/workspace/../../libbeat/docs/shared-libbeat-description.asciidoc[]

Filebeat quick start: installation and configuration

Quick start: installation and configuration

This guide describes how to get started quickly with log collection. You’ll learn how to:

install Filebeat on each system you want to monitor
specify the location of your log files
parse log data into fields and send it to {es}
visualize the log data in {kib}

Before you begin

You need {es} for storing and searching your data, and {kib} for visualizing and managing it.

Unresolved directive in getting-started.asciidoc - include::/github/workspace/../../libbeat/docs/tab-widgets/spinup-stack-widget.asciidoc[]

Step 1: Install Filebeat

Install Filebeat on all the servers you want to monitor.

To download and install Filebeat, use the commands that work with your system:

Unresolved directive in getting-started.asciidoc - include::/github/workspace/../../libbeat/docs/tab-widgets/install-widget.asciidoc[]

The commands shown are for AMD platforms, but ARM packages are also available. Refer to the download page for the full list of available packages.

Other installation options

APT or YUM
Download page
Docker
Kubernetes
Cloud Foundry

Step 2: Connect to the {stack}

Unresolved directive in getting-started.asciidoc - include::/github/workspace/../../libbeat/docs/shared/connecting-to-es.asciidoc[]

Step 3: Collect log data

There are several ways to collect log data with Filebeat:

Data collection modules — simplify the collection, parsing, and visualization of common log formats
ECS loggers — structure and format application logs into ECS-compatible JSON
Manual Filebeat configuration

Enable and configure data collection modules

Identify the modules you need to enable. To see a list of available modules, run:

Unresolved directive in getting-started.asciidoc - include::/github/workspace/../../libbeat/docs/tab-widgets/list-modules-widget.asciidoc[]
From the installation directory, enable one or more modules. For example, the following command enables the {modulename} module config:

Unresolved directive in getting-started.asciidoc - include::/github/workspace/../../libbeat/docs/tab-widgets/enable-modules-widget.asciidoc[]
In the module config under modules.d, change the module settings to match your environment. You must enable at least one fileset in the module. Filesets are disabled by default.

For example, log locations are set based on the OS. If your logs aren’t in default locations, set the paths variable:
- module: nginx access: enabled: true var.paths: ["/var/log/nginx/access.log*"] (1)

To see the full list of variables for a module, see the documentation under Modules.

Unresolved directive in getting-started.asciidoc - include::/github/workspace/../../libbeat/docs/shared/config-check.asciidoc[]

Enable and configure ECS loggers for application log collection

While Filebeat can be used to ingest raw, plain-text application logs, we recommend structuring your logs at ingest time. This lets you extract fields, like log level and exception stack traces.

Elastic simplifies this process by providing application log formatters in a variety of popular programming languages. These plugins format your logs into ECS-compatible JSON, which removes the need to manually parse logs.

See {ecs-logging-ref}/intro.html[ECS loggers] to get started.

Configure Filebeat manually

If you’re unable to find a module for your file type, or can’t change your application’s log output, see configure the input manually.

Step 4: Set up assets

Filebeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:

Make sure the user specified in {beatname_lc}.yml is authorized to set up Filebeat.
From the installation directory, run:

Unresolved directive in getting-started.asciidoc - include::/github/workspace/../../libbeat/docs/tab-widgets/setup-widget.asciidoc[]

-e is optional and sends output to standard error instead of the configured log output.

Tip

If the command above gives Exiting: couldn’t connect to any of the configured Elasticsearch hosts error, https://discuss.elastic.co/t/filebeat-exiting-couldnt-connect-to-any-of-the-configured-elasticsearch-hosts/297997/2[on 8.0 TLS is enabled by default, so we need to set the ca_trusted_fingerprint on our output configuration as well as enable SSL:

output.elasticsearch:
  hosts: ["https://myEShost:9200"]
  username: "elastic"
  password: "MY_PASSWORD"
  ssl:
    enabled: true
    ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c"

The fingerprint can be obtained by

openssl x509 -in /etc/elasticsearch/certs/http_ca.crt -sha256 -fingerprint | grep SHA256 | sed 's/://g'

Note that the certificate is at /etc/elasticsearch/certs/[https://qubitpi.github.io/elasticsearch/configuring-stack-security.html#_connect_clients_to_elasticsearch_5]

This step loads the recommended {ref}/index-templates.html[index template] for writing to {es} and deploys the sample dashboards for visualizing the data in {kib}.

This step does not load the ingest pipelines used to parse log lines. By default, ingest pipelines are set up automatically the first time you run the module and connect to {es}.

Tip	A connection to {es} (or {ess}) is required to set up the initial environment. If you’re using a different output, such as {ls}, see: [load-template-manually] [load-kibana-dashboards] Load ingest pipelines

Note	Filebeat should not be used to ingest its own log as this may lead to an infinite loop.

Step 5: Start Filebeat

Before starting Filebeat, modify the user credentials in {beatname_lc}.yml and specify a user who is authorized to publish events.

To start Filebeat, run:

Unresolved directive in getting-started.asciidoc - include::/github/workspace/../../libbeat/docs/tab-widgets/start-widget.asciidoc[] :requires-sudo!:

Filebeat should begin streaming events to {es}.

Step 6: View your data in {kib}

Unresolved directive in getting-started.asciidoc - include::/github/workspace/../../libbeat/docs/shared/opendashboards.asciidoc[tag=open-dashboards-intro]

Unresolved directive in getting-started.asciidoc - include::/github/workspace/../../libbeat/docs/shared/opendashboards.asciidoc[tag=open-dashboards]

What’s next?

Now that you have your logs streaming into {es}, learn how to unify your logs, metrics, uptime, and application performance data.

Unresolved directive in getting-started.asciidoc - include::/github/workspace/../../libbeat/docs/shared/obs-apps.asciidoc[]

Set up and run Filebeat

Set up and run

Before reading this section, see Filebeat quick start: installation and configuration for basic installation instructions to get you started.

This section includes additional information on how to install, set up, and run Filebeat, including:

[directory-layout]
[keystore]
[command-line-options]
[setup-repositories]
[running-on-docker]
Run Filebeat on Kubernetes
[running-on-cloudfoundry]
[running-with-systemd]
[filebeat-starting]
[shutdown]

Unresolved directive in setting-up-running.asciidoc - include::/github/workspace/../../libbeat/docs/shared-directory-layout.asciidoc[]

Unresolved directive in setting-up-running.asciidoc - include::/github/workspace/../../libbeat/docs/keystore.asciidoc[]

Unresolved directive in setting-up-running.asciidoc - include::/github/workspace/../../libbeat/docs/command-reference.asciidoc[]

Unresolved directive in setting-up-running.asciidoc - include::/github/workspace/../../libbeat/docs/repositories.asciidoc[]

Unresolved directive in running-on-docker.asciidoc - include::/github/workspace/../../libbeat/docs/shared-docker.asciidoc[]

Run Filebeat on Kubernetes

You can use Filebeat Docker images on Kubernetes to retrieve and ship container logs.

Tip	Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK].

Kubernetes deploy manifests

You deploy Filebeat as a DaemonSet to ensure there’s a running instance on each node of the cluster.

The container logs host folder (/var/log/containers) is mounted on the Filebeat container. Filebeat starts an input for the files and begins harvesting them as soon as they appear in the folder.

Everything is deployed under the kube-system namespace by default. To change the namespace, modify the manifest file.

To download the manifest file, run:

curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/filebeat-kubernetes.yaml

Warning

If you are using Kubernetes 1.7 or earlier: Filebeat uses a hostPath volume to persist internal data. It’s located under /var/lib/{beatname_lc}-data. The manifest uses folder autocreation (DirectoryOrCreate), which was introduced in Kubernetes 1.8. You need to remove type: DirectoryOrCreate from the manifest and create the host folder yourself.

Settings

By default, Filebeat sends events to an existing Elasticsearch deployment, if present. To specify a different destination, change the following parameters in the manifest file:

- name: ELASTICSEARCH_HOST
  value: elasticsearch
- name: ELASTICSEARCH_PORT
  value: "9200"
- name: ELASTICSEARCH_USERNAME
  value: elastic
- name: ELASTICSEARCH_PASSWORD
  value: changeme

Running Filebeat on master nodes

Kubernetes master nodes can use taints to limit the workloads that can run on them. To run Filebeat on master nodes you may need to update the Daemonset spec to include proper tolerations:

spec:
 tolerations:
 - key: node-role.kubernetes.io/master
   effect: NoSchedule

Red Hat OpenShift configuration

If you are using Red Hat OpenShift, you need to specify additional settings in the manifest file and enable the container to run as privileged. Filebeat needs to run as a privileged container to mount logs written on the node (hostPath) and read them.

Modify the DaemonSet container spec in the manifest file:

  securityContext:
    runAsUser: 0
    privileged: true

Grant the filebeat service account access to the privileged SCC:
```
oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:filebeat
```
This command enables the container to be privileged as an administrator for OpenShift.
Override the default node selector for the kube-system namespace (or your custom namespace) to allow for scheduling on any node:
```
oc patch namespace kube-system -p \
'{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}'
```
This command sets the node selector for the project to an empty string. If you don’t run this command, the default node selector will skip master nodes.

In order to support runtime environments with Openshift (eg. CRI-O, containerd) you need to configure following path:

filebeat.inputs:
- type: container
  paths: <1>
    - '/var/log/containers/*.log'

Same path needs to be configured in case autodiscovery needs to be enabled:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      node: ${NODE_NAME}
      hints.enabled: true
      hints.default_config:
        type: container
        paths:
          - /var/log/containers/*.log

Note	`/var/log/containers/.log` is normally a symlink to `/var/log/pods//*.log`, so above paths can be edited accordingly

Load {kib} dashboards

Filebeat comes packaged with various pre-built {kib} dashboards that you can use to visualize logs from your Kubernetes environment.

If these dashboards are not already loaded into {kib}, you must install Filebeat on any system that can connect to the {stack}, and then run the setup command to load the dashboards. To learn how, see Load {kib} dashboards.

The setup command does not load the ingest pipelines used to parse log lines. By default, ingest pipelines are set up automatically the first time you run Filebeat and connect to {es}.

Important

If you are using a different output other than {es}, such as {ls}, you need to:

[load-template-manually]
[load-kibana-dashboards]
Load ingest pipelines

Deploy

To deploy Filebeat to Kubernetes, run:

kubectl create -f filebeat-kubernetes.yaml

To check the status, run:

$ kubectl --namespace=kube-system get ds/filebeat

NAME       DESIRED   CURRENT   READY     UP-TO-DATE   AVAILABLE   NODE-SELECTOR   AGE
filebeat   32        32        0         32           0                     1m

Log events should start flowing to Elasticsearch. The events are annotated with metadata added by the [add-kubernetes-metadata] processor.

Parsing json logs

It is common case when collecting logs from workloads running on Kubernetes that these applications are logging in json format. In these case, special handling can be applied so as to parse these json logs properly and decode them into fields. Bellow there are provided 2 different ways of configuring filebeat’s autodiscover so as to identify and parse json logs. We will use an example of one Pod with 2 containers where only one of these logs in json format.

Example log:

{"type":"log","@timestamp":"2020-11-16T14:30:13+00:00","tags":["warning","plugins","licensing"],"pid":7,"message":"License information could not be obtained from Elasticsearch due to Error: No Living connections error"}

Using json.* options with templates

filebeat.autodiscover:
  providers:
      - type: kubernetes
        node: ${NODE_NAME}
        templates:
          - condition:
              contains:
                kubernetes.container.name: "no-json-logging"
            config:
              - type: container
                paths:
                  - "/var/log/containers/*-${data.kubernetes.container.id}.log"
          - condition:
              contains:
                kubernetes.container.name: "json-logging"
            config:
              - type: container
                paths:
                  - "/var/log/containers/*-${data.kubernetes.container.id}.log"
                json.keys_under_root: true
                json.add_error_key: true
                json.message_key: message

Using json.* options with hints

Key part here is to properly annotate the Pod to only parse logs of the correct container as json logs. In this, annotation should be constructed like this:

co.elastic.logs.<container_name>/json.keys_under_root: "true"

Autodiscovery configuration:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      node: ${NODE_NAME}
      hints.enabled: true
      hints.default_config:
        type: container
        paths:
          - /var/log/containers/*${data.kubernetes.container.id}.log

Then annotate the pod properly:

annotations:
    co.elastic.logs.json-logging/json.keys_under_root: "true"
    co.elastic.logs.json-logging/json.add_error_key: "true"
    co.elastic.logs.json-logging/json.message_key: "message"

Logrotation

According to kubernetes documentation Kubernetes is not responsible for rotating logs, but rather a deployment tool should set up a solution to address that. Different logrotation strategies can cause issues that might make Filebeat losing events or even duplicating events. Users can find more information about Filebeat’s logrotation best practises at Filebeat’s log rotation specific documentation

Unresolved directive in running-on-cloudfoundry.asciidoc - include::/github/workspace/../../libbeat/docs/shared-cloudfoundry.asciidoc[]

Unresolved directive in setting-up-running.asciidoc - include::/github/workspace/../../libbeat/docs/shared-systemd.asciidoc[]

Unresolved directive in setting-up-running.asciidoc - include::/github/workspace/../../libbeat/docs/shared/start-beat.asciidoc[]

Unresolved directive in setting-up-running.asciidoc - include::/github/workspace/../../libbeat/docs/shared/shutdown.asciidoc[]

Upgrade Filebeat

Upgrade

For information about upgrading to a new version, see:

{beats-ref}/breaking-changes.html[Breaking Changes]
{beats-ref}/upgrading.html[Upgrade]

How Filebeat works

In this topic, you learn about the key building blocks of Filebeat and how they work together. Understanding these concepts will help you make informed decisions about configuring Filebeat for specific use cases.

Filebeat consists of two main components: inputs and harvesters. These components work together to tail files and send event data to the output that you specify.

What is a harvester?

A harvester is responsible for reading the content of a single file. The harvester reads each file, line by line, and sends the content to the output. One harvester is started for each file. The harvester is responsible for opening and closing the file, which means that the file descriptor remains open while the harvester is running. If a file is removed or renamed while it’s being harvested, Filebeat continues to read the file. This has the side effect that the space on your disk is reserved until the harvester closes. By default, Filebeat keeps the file open until close_inactive is reached.

Closing a harvester has the following consequences:

The file handler is closed, freeing up the underlying resources if the file was deleted while the harvester was still reading the file.
The harvesting of the file will only be started again after scan_frequency has elapsed.
If the file is moved or removed while the harvester is closed, harvesting of the file will not continue.

To control when a harvester is closed, use the close_* configuration options.

What is an input?

An input is responsible for managing the harvesters and finding all sources to read from.

If the input type is log, the input finds all files on the drive that match the defined glob paths and starts a harvester for each file. Each input runs in its own Go routine.

The following example configures Filebeat to harvest lines from all log files that match the specified glob patterns:

filebeat.inputs:
- type: log
  paths:
    - /var/log/*.log
    - /var/path2/*.log

Filebeat currently supports several input types. Each input type can be defined multiple times. The log input checks each file to see whether a harvester needs to be started, whether one is already running, or whether the file can be ignored (see ignore_older). New lines are only picked up if the size of the file has changed since the harvester was closed.

How does Filebeat keep the state of files?

Filebeat keeps the state of each file and frequently flushes the state to disk in the registry file. The state is used to remember the last offset a harvester was reading from and to ensure all log lines are sent. If the output, such as Elasticsearch or Logstash, is not reachable, Filebeat keeps track of the last lines sent and will continue reading the files as soon as the output becomes available again. While Filebeat is running, the state information is also kept in memory for each input. When Filebeat is restarted, data from the registry file is used to rebuild the state, and Filebeat continues each harvester at the last known position.

For each input, Filebeat keeps a state of each file it finds. Because files can be renamed or moved, the filename and path are not enough to identify a file. For each file, Filebeat stores unique identifiers to detect whether a file was harvested previously.

If your use case involves creating a large number of new files every day, you might find that the registry file grows to be too large. See Registry file is too large for details about configuration options that you can set to resolve this issue.

How does Filebeat ensure at-least-once delivery?

Filebeat guarantees that events will be delivered to the configured output at least once and with no data loss. Filebeat is able to achieve this behavior because it stores the delivery state of each event in the registry file.

In situations where the defined output is blocked and has not confirmed all events, Filebeat will keep trying to send events until the output acknowledges that it has received the events.

If Filebeat shuts down while it’s in the process of sending events, it does not wait for the output to acknowledge all events before shutting down. Any events that are sent to the output, but not acknowledged before Filebeat shuts down, are sent again when Filebeat is restarted. This ensures that each event is sent at least once, but you can end up with duplicate events being sent to the output. You can configure Filebeat to wait a specific amount of time before shutting down by setting the shutdown_timeout option.

Note

There is a limitation to Filebeat’s at-least-once delivery guarantee involving log rotation and the deletion of old files. If log files are written to disk and rotated faster than they can be processed by Filebeat, or if files are deleted while the output is unavailable, data might be lost. On Linux, it’s also possible for Filebeat to skip lines as the result of inode reuse. See Common problems for more details about the inode reuse issue.

Configure Filebeat

Configure inputs

Inputs

Tip	Filebeat modules provide the fastest getting started experience for common log formats. See Filebeat quick start: installation and configuration to learn how to get started.

To configure Filebeat manually (instead of using modules), you specify a list of inputs in the {beatname_lc}.inputs section of the {beatname_lc}.yml. Inputs specify how Filebeat locates and processes input data.

The list is a YAML array, so each input begins with a dash (-). You can specify multiple inputs, and you can specify the same input type more than once. For example:

filebeat.inputs:
- type: filestream
  id: my-filestream-id <1>
  paths:
    - /var/log/system.log
    - /var/log/wifi.log
- type: filestream
  id: apache-filestream-id
  paths:
    - "/var/log/apache2/*"
  fields:
    apache: true
  fields_under_root: true

Each filestream input must have a unique ID to allow tracking the state of files.

For the most basic configuration, define a single input with a single path. For example:

filebeat.inputs:
- type: filestream
  id: my-filestream-id
  paths:
    - /var/log/*.log

The input in this example harvests all files in the path /var/log/*.log, which means that Filebeat will harvest all files in the directory /var/log/ that end with .log. All patterns supported by Go Glob are also supported here.

To fetch all files from a predefined level of subdirectories, use this pattern: /var/log//.log. This fetches all .log files from the subfolders of /var/log. It does not fetch log files from the /var/log folder itself. Currently it is not possible to recursively fetch all files in all subdirectories of a directory.

Input types

You can configure Filebeat to use the following inputs:

Manage multiline messages

Multiline messages

The files harvested by Filebeat may contain messages that span multiple lines of text. For example, multiline messages are common in files that contain Java stack traces. In order to correctly handle these multiline events, you need to configure multiline settings in the {beatname_lc}.yml file to specify which lines are part of a single event.

Important

If you are sending multiline events to Logstash, use the options described here to handle multiline events before sending the event data to Logstash. Trying to implement multiline event handling in Logstash (for example, by using the Logstash multiline codec) may result in the mixing of streams and corrupted data.

Also read [yaml-tips] and [regexp-support] to avoid common mistakes.

Configuration options

You can specify the following options in the {beatname_lc}.inputs section of the {beatname_lc}.yml config file to control how Filebeat deals with messages that span multiple lines.

The following example shows how to configure filestream input in Filebeat to handle a multiline message where the first line of the message begins with a bracket ([).

Please note that the example below only works with filestream input, and not with log input.

parsers:
- multiline:
    type: pattern
    pattern: '^\['
    negate: true
    match: after

If you still use the deprecated log input, there is no need to use parsers.

multiline.type: pattern
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after

Filebeat takes all the lines that do not start with [ and combines them with the previous line that does. For example, you could use this configuration to join the following lines of a multiline message into a single event:

[beat-logstash-some-name-832-2015.11.28] IndexNotFoundException[no such index]
    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.resolve(IndexNameExpressionResolver.java:566)
    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:133)
    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:77)
    at org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction.checkBlock(TransportDeleteIndexAction.java:75)

multiline.type

Defines which aggregation method to use. The default is pattern. The other options are count which lets you aggregate constant number of lines and while_pattern which aggregate lines by pattern without match option.

multiline.pattern

Specifies the regular expression pattern to match. Note that the regexp patterns supported by Filebeat differ somewhat from the patterns supported by Logstash. See [regexp-support] for a list of supported regexp patterns. Depending on how you configure other multiline options, lines that match the specified regular expression are considered either continuations of a previous line or the start of a new multiline event. You can set the negate option to negate the pattern.

multiline.negate

Defines whether the pattern is negated. The default is false.

multiline.match

Specifies how Filebeat combines matching lines into an event. The settings are after or before. The behavior of these settings depends on what you specify for negate:

Setting for negate Setting for match Result Example pattern: ^b

Setting for `negate`	Setting for `match`	Result
`false`	`after`	Consecutive lines that match the pattern are appended to the previous line that doesn’t match.
`false`	`before`	Consecutive lines that match the pattern are prepended to the next line that doesn’t match.
`true`	`after`	Consecutive lines that don’t match the pattern are appended to the previous line that does match.
`true`	`before`	Consecutive lines that don’t match the pattern are prepended to the next line that does match.

false

after

Consecutive lines that match the pattern are appended to the previous line that doesn’t match.

Lines a b b c b b become "abb" and "cbb"

false

before

Consecutive lines that match the pattern are prepended to the next line that doesn’t match.

Lines b b a b b c become "bba" and "bbc"

true

after

Consecutive lines that don’t match the pattern are appended to the previous line that does match.

Lines b a c b d e become "bac" and "bde"

true

before

Consecutive lines that don’t match the pattern are prepended to the next line that does match.

Lines a c b d e b become "acb" and "deb"

Note	The `after` setting is equivalent to `previous` in Logstash, and `before` is equivalent to `next`.

multiline.flush_pattern

Specifies a regular expression, in which the current multiline will be flushed from memory, ending the multiline-message. Work only with pattern type.

multiline.max_lines

The maximum number of lines that can be combined into one event. If the multiline message contains more than max_lines, any additional lines are discarded. The default is 500.

multiline.timeout

After the specified timeout, Filebeat sends the multiline event even if no new pattern is found to start a new event. The default is 5s.

multiline.count_lines

The number of lines to aggregate into a single event.

multiline.skip_newline

When set, multiline events are concatenated without a line separator.

Examples of multiline configuration

The examples in this section cover the following use cases:

Combining a Java stack trace into a single event
Combining C-style line continuations into a single event
Combining multiple lines from time-stamped events

Java stack traces

Java stack traces consist of multiple lines, with each line after the initial line beginning with whitespace, as in this example:

Exception in thread "main" java.lang.NullPointerException
        at com.example.myproject.Book.getTitle(Book.java:16)
        at com.example.myproject.Author.getBookTitles(Author.java:25)
        at com.example.myproject.Bootstrap.main(Bootstrap.java:14)

To consolidate these lines into a single event in Filebeat, use the following multiline configuration with filestream:

parsers:
- multiline:
    type: pattern
    pattern: '^[[:space:]]'
    negate: false
    match: after

Using log input:

multiline.type: pattern
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after

This configuration merges any line that begins with whitespace up to the previous line.

Here’s a Java stack trace that presents a slightly more complex example:

Exception in thread "main" java.lang.IllegalStateException: A book has a null property
       at com.example.myproject.Author.getBookIds(Author.java:38)
       at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
Caused by: java.lang.NullPointerException
       at com.example.myproject.Book.getId(Book.java:22)
       at com.example.myproject.Author.getBookIds(Author.java:35)
       ... 1 more

To consolidate these lines into a single event in Filebeat, use the following multiline configuration with filestream:

parsers:
- multiline:
    type: pattern
    pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
    negate: false
    match: after

Using log input:

multiline.type: pattern
multiline.pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
multiline.negate: false
multiline.match: after

In this example, the pattern matches the following lines:

a line that begins with spaces followed by the word at or …
a line that begins with the words Caused by:

Line continuations

Several programming languages use the backslash (\) character at the end of a line to denote that the line continues, as in this example:

printf ("%10.10ld  \t %10.10ld \t %s\
  %f", w, x, y, z );

To consolidate these lines into a single event in Filebeat, use the following multiline configuration with filestream:

parsers:
- multiline:
    type: pattern
    pattern: '\\$'
    negate: false
    match: before

Using log input:

multiline.type: pattern
multiline.pattern: '\\$'
multiline.negate: false
multiline.match: before

This configuration merges any line that ends with the \ character with the line that follows.

Timestamps

Activity logs from services such as Elasticsearch typically begin with a timestamp, followed by information on the specific activity, as in this example:

[2015-08-24 11:49:14,389][INFO ][env                      ] [Letha] using [1] data paths, mounts [[/
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]

To consolidate these lines into a single event in Filebeat, use the following multiline configuration with filestream:

parsers:
- multiline:
    type: pattern
    pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
    negate: true
    match: after

Using log input:

multiline.type: pattern
multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after

This configuration uses the negate: true and match: after settings to specify that any line that does not match the specified pattern belongs to the previous line.

Application events

Sometimes your application logs contain events, that begin and end with custom markers, such as the following example:

[2015-08-24 11:49:14,389] Start new event
[2015-08-24 11:49:14,395] Content of processing something
[2015-08-24 11:49:14,399] End event

To consolidate this as a single event in Filebeat, use the following multiline configuration with filestream:

parsers:
- multiline:
    type: pattern
    pattern: 'Start new event'
    negate: true
    match: after
    flush_pattern: 'End event'

Using log input:

multiline.type: pattern
multiline.pattern: 'Start new event'
multiline.negate: true
multiline.match: after
multiline.flush_pattern: 'End event'

The flush_pattern option, specifies a regex at which the current multiline will be flushed. If you think of the pattern option specifying the beginning of an event, the flush_pattern option will specify the end or last line of the event.

Note

This example will not work correctly if start/end log blocks are mixed with non-multiline logs, or if different start/end log blocks overlap with each other. For instance, Some other log log lines in the following example will be merged into a single multiline document because they neither match multiline.pattern nor multiline.flush_pattern, and multiline.negate is set to true.

[2015-08-24 11:49:14,389] Start new event
[2015-08-24 11:49:14,395] Content of processing something
[2015-08-24 11:49:14,399] End event
[2015-08-24 11:50:14,389] Some other log
[2015-08-24 11:50:14,395] Some other log
[2015-08-24 11:50:14,399] Some other log
[2015-08-24 11:51:14,389] Start new event
[2015-08-24 11:51:14,395] Content of processing something
[2015-08-24 11:51:14,399] End event

Test your regexp pattern for multiline

To make it easier for you to test the regexp patterns in your multiline config, we’ve created a Go Playground. You can simply plug in the regexp pattern along with the multiline.negate setting that you plan to use, and paste a sample message between the content backticks (` `). Then click Run, and you’ll see which lines in the message match your specified configuration. For example:

go playground

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-aws-cloudwatch.asciidoc[]

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc[]

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-azure-eventhub.asciidoc[]

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-azure-blob-storage.asciidoc[]

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-cel.asciidoc[]

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-cloudfoundry.asciidoc[]

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-cometd.asciidoc[]

Container input

Container

Use the container input to read containers log files.

This input searches for container logs under the given path, and parse them into common message lines, extracting timestamps too. Everything happens before line filtering, multiline, and JSON decoding, so this input can be used in combination with those settings.

Example configuration:

filebeat.inputs:
- type: container
  paths: <1>
    - '/var/log/containers/*.log'

paths is required. All other settings are optional.

Note	'/var/log/containers/.log' is normally a symlink to '/var/log/pods//*/.log', so above path can be edited accordingly

Configuration options

The container input supports the following configuration options plus the Common options described later.

`stream`

Reads from the specified streams only: all, stdout or stderr. The default is all.

`format`

Use the given format when reading the log file: auto, docker or cri. The default is auto, it will automatically detect the format. To disable autodetection set any of the other options.

The following input configures Filebeat to read the stdout stream from all containers under the default Kubernetes logs path:

- type: container
  stream: stdout
  paths:
    - "/var/log/containers/*.log"

`encoding`

The file encoding to use for reading data that contains international characters. See the encoding names recommended by the W3C for use in HTML5.

Valid encodings:

plain: plain ASCII encoding
utf-8 or utf8: UTF-8 encoding
gbk: simplified Chinese charaters
iso8859-6e: ISO8859-6E, Latin/Arabic
iso8859-6i: ISO8859-6I, Latin/Arabic
iso8859-8e: ISO8859-8E, Latin/Hebrew
iso8859-8i: ISO8859-8I, Latin/Hebrew
iso8859-1: ISO8859-1, Latin-1
iso8859-2: ISO8859-2, Latin-2
iso8859-3: ISO8859-3, Latin-3
iso8859-4: ISO8859-4, Latin-4
iso8859-5: ISO8859-5, Latin/Cyrillic
iso8859-6: ISO8859-6, Latin/Arabic
iso8859-7: ISO8859-7, Latin/Greek
iso8859-8: ISO8859-8, Latin/Hebrew
iso8859-9: ISO8859-9, Latin-5
iso8859-10: ISO8859-10, Latin-6
iso8859-13: ISO8859-13, Latin-7
iso8859-14: ISO8859-14, Latin-8
iso8859-15: ISO8859-15, Latin-9
iso8859-16: ISO8859-16, Latin-10
cp437: IBM CodePage 437
cp850: IBM CodePage 850
cp852: IBM CodePage 852
cp855: IBM CodePage 855
cp858: IBM CodePage 858
cp860: IBM CodePage 860
cp862: IBM CodePage 862
cp863: IBM CodePage 863
cp865: IBM CodePage 865
cp866: IBM CodePage 866
ebcdic-037: IBM CodePage 037
ebcdic-1040: IBM CodePage 1140
ebcdic-1047: IBM CodePage 1047
koi8r: KOI8-R, Russian (Cyrillic)
koi8u: KOI8-U, Ukranian (Cyrillic)
macintosh: Macintosh encoding
macintosh-cyrillic: Macintosh Cyrillic encoding
windows1250: Windows1250, Central and Eastern European
windows1251: Windows1251, Russian, Serbian (Cyrillic)
windows1252: Windows1252, Legacy
windows1253: Windows1253, Modern Greek
windows1254: Windows1254, Turkish
windows1255: Windows1255, Hebrew
windows1256: Windows1256, Arabic
windows1257: Windows1257, Estonian, Latvian, Lithuanian
windows1258: Windows1258, Vietnamese
windows874: Windows874, ISO/IEC 8859-11, Latin/Thai
utf-16-bom: UTF-16 with required BOM
utf-16be-bom: big endian UTF-16 with required BOM
utf-16le-bom: little endian UTF-16 with required BOM

The plain encoding is special, because it does not validate or transform any input.

`exclude_lines`

A list of regular expressions to match the lines that you want Filebeat to exclude. Filebeat drops any lines that match a regular expression in the list. By default, no lines are dropped. Empty lines are ignored.

If multiline settings are also specified, each multiline message is combined into a single line before the lines are filtered by exclude_lines.

The following example configures Filebeat to drop any lines that start with DBG.

filebeat.inputs:
- type: container
  ...
  exclude_lines: ['^DBG']

See [regexp-support] for a list of supported regexp patterns.

`include_lines`

A list of regular expressions to match the lines that you want Filebeat to include. Filebeat exports only the lines that match a regular expression in the list. By default, all lines are exported. Empty lines are ignored.

If multiline settings also specified, each multiline message is combined into a single line before the lines are filtered by include_lines.

The following example configures Filebeat to export any lines that start with ERR or WARN:

filebeat.inputs:
- type: container
  ...
  include_lines: ['^ERR', '^WARN']

Note

If both include_lines and exclude_lines are defined, Filebeat executes include_lines first and then executes exclude_lines. The order in which the two options are defined doesn’t matter. The include_lines option will always be executed before the exclude_lines option, even if exclude_lines appears before include_lines in the config file.

The following example exports all log lines that contain sometext, except for lines that begin with DBG (debug messages):

filebeat.inputs:
- type: container
  ...
  include_lines: ['sometext']
  exclude_lines: ['^DBG']

See [regexp-support] for a list of supported regexp patterns.

`harvester_buffer_size`

The size in bytes of the buffer that each harvester uses when fetching a file. The default is 16384.

`max_bytes`

The maximum number of bytes that a single log message can have. All bytes after max_bytes are discarded and not sent. This setting is especially useful for multiline log messages, which can get large. The default is 10MB (10485760).

`json`

These options make it possible for Filebeat to decode logs structured as JSON messages. Filebeat processes the logs line by line, so the JSON decoding only works if there is one JSON object per line.

The decoding happens before line filtering and multiline. You can combine JSON decoding with filtering and multiline if you set the message_key option. This can be helpful in situations where the application logs are wrapped in JSON objects, as with like it happens for example with Docker.

Example configuration:

json.keys_under_root: true
json.add_error_key: true
json.message_key: log

You must specify at least one of the following settings to enable JSON parsing mode:

keys_under_root: By default, the decoded JSON is placed under a "json" key in the output document. If you enable this setting, the keys are copied top level in the output document. The default is false.
overwrite_keys: If keys_under_root and this setting are enabled, then the values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts.
expand_keys: If this setting is enabled, Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. For example, {"a.b.c": 123} would be expanded into {"a":{"b":{"c":123}}}. This setting should be enabled when the input is produced by an ECS logger.
add_error_key: If this setting is enabled, Filebeat adds a "error.message" and "error.type: json" key in case of JSON unmarshalling errors or when a message_key is defined in the configuration but cannot be used.
message_key: An optional configuration setting that specifies a JSON key on which to apply the line filtering and multiline settings. If specified the key must be at the top level in the JSON object and the value associated with the key must be a string, otherwise no filtering or multiline aggregation will occur.
document_id: Option configuration setting that specifies the JSON key to set the document id. If configured, the field will be removed from the original json document and stored in @metadata._id
ignore_decoding_error: An optional configuration setting that specifies if JSON decoding errors should be logged or not. If set to true, errors will not be logged. The default is false.

`multiline`

Options that control how Filebeat deals with log messages that span multiple lines. See Manage multiline messages for more information about configuring multiline options.

`exclude_files`

A list of regular expressions to match the files that you want Filebeat to ignore. By default no files are excluded.

The following example configures Filebeat to ignore all the files that have a gz extension:

filebeat.inputs:
- type: container
  ...
  exclude_files: ['\.gz$']

See [regexp-support] for a list of supported regexp patterns.

`ignore_older`

If this option is enabled, Filebeat ignores any files that were modified before the specified timespan. Configuring ignore_older can be especially useful if you keep log files for a long time. For example, if you want to start Filebeat, but only want to send the newest files and files from last week, you can configure this option.

You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 0, which disables the setting. Commenting out the config has the same effect as setting it to 0.

Important

You must set ignore_older to be greater than close_inactive.

The files affected by this setting fall into two categories:

Files that were never harvested
Files that were harvested but weren’t updated for longer than ignore_older

For files which were never seen before, the offset state is set to the end of the file. If a state already exist, the offset is not changed. In case a file is updated again later, reading continues at the set offset position.

The ignore_older setting relies on the modification time of the file to determine if a file is ignored. If the modification time of the file is not updated when lines are written to a file (which can happen on Windows), the ignore_older setting may cause Filebeat to ignore files even though content was added at a later time.

To remove the state of previously harvested files from the registry file, use the clean_inactive configuration option.

Before a file can be ignored by Filebeat, the file must be closed. To ensure a file is no longer being harvested when it is ignored, you must set ignore_older to a longer duration than close_inactive.

If a file that’s currently being harvested falls under ignore_older, the harvester will first finish reading the file and close it after close_inactive is reached. Then, after that, the file will be ignored.

`close_*`

The close_* configuration options are used to close the harvester after a certain criteria or time. Closing the harvester means closing the file handler. If a file is updated after the harvester is closed, the file will be picked up again after scan_frequency has elapsed. However, if the file is moved or deleted while the harvester is closed, Filebeat will not be able to pick up the file again, and any data that the harvester hasn’t read will be lost. The close_* settings are applied synchronously when Filebeat attempts to read from a file, meaning that if Filebeat is in a blocked state due to blocked output, full queue or other issue, a file that would otherwise be closed remains open until Filebeat once again attempts to read from the file.

`close_inactive`

When this option is enabled, Filebeat closes the file handle if a file has not been harvested for the specified duration. The counter for the defined period starts when the last log line was read by the harvester. It is not based on the modification time of the file. If the closed file changes again, a new harvester is started and the latest changes will be picked up after scan_frequency has elapsed.

We recommended that you set close_inactive to a value that is larger than the least frequent updates to your log files. For example, if your log files get updated every few seconds, you can safely set close_inactive to 1m. If there are log files with very different update rates, you can use multiple configurations with different values.

Setting close_inactive to a lower value means that file handles are closed sooner. However this has the side effect that new log lines are not sent in near real time if the harvester is closed.

The timestamp for closing a file does not depend on the modification time of the file. Instead, Filebeat uses an internal timestamp that reflects when the file was last harvested. For example, if close_inactive is set to 5 minutes, the countdown for the 5 minutes starts after the harvester reads the last line of the file.

You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 5m.

`close_renamed`

Warning

Only use this option if you understand that data loss is a potential side effect.

When this option is enabled, Filebeat closes the file handler when a file is renamed. This happens, for example, when rotating files. By default, the harvester stays open and keeps reading the file because the file handler does not depend on the file name. If the close_renamed option is enabled and the file is renamed or moved in such a way that it’s no longer matched by the file patterns specified for the path, the file will not be picked up again. Filebeat will not finish reading the file.

Do not use this option when path based file_identity is configured. It does not make sense to enable the option, as Filebeat cannot detect renames using path names as unique identifiers.

WINDOWS: If your Windows log rotation system shows errors because it can’t rotate the files, you should enable this option.

`close_removed`

When this option is enabled, Filebeat closes the harvester when a file is removed. Normally a file should only be removed after it’s inactive for the duration specified by close_inactive. However, if a file is removed early and you don’t enable close_removed, Filebeat keeps the file open to make sure the harvester has completed. If this setting results in files that are not completely read because they are removed from disk too early, disable this option.

This option is enabled by default. If you disable this option, you must also disable clean_removed.

WINDOWS: If your Windows log rotation system shows errors because it can’t rotate files, make sure this option is enabled.

`close_eof`

Warning

Only use this option if you understand that data loss is a potential side effect.

When this option is enabled, Filebeat closes a file as soon as the end of a file is reached. This is useful when your files are only written once and not updated from time to time. For example, this happens when you are writing every single log event to a new file. This option is disabled by default.

`close_timeout`

Warning

Only use this option if you understand that data loss is a potential side effect. Another side effect is that multiline events might not be completely sent before the timeout expires.

When this option is enabled, Filebeat gives every harvester a predefined lifetime. Regardless of where the reader is in the file, reading will stop after the close_timeout period has elapsed. This option can be useful for older log files when you want to spend only a predefined amount of time on the files. While close_timeout will close the file after the predefined timeout, if the file is still being updated, Filebeat will start a new harvester again per the defined scan_frequency. And the close_timeout for this harvester will start again with the countdown for the timeout.

This option is particularly useful in case the output is blocked, which makes Filebeat keep open file handlers even for files that were deleted from the disk. Setting close_timeout to 5m ensures that the files are periodically closed so they can be freed up by the operating system.

If you set close_timeout to equal ignore_older, the file will not be picked up if it’s modified while the harvester is closed. This combination of settings normally leads to data loss, and the complete file is not sent.

When you use close_timeout for logs that contain multiline events, the harvester might stop in the middle of a multiline event, which means that only parts of the event will be sent. If the harvester is started again and the file still exists, only the second part of the event will be sent.

This option is set to 0 by default which means it is disabled.

`clean_*`

The clean_* options are used to clean up the state entries in the registry file. These settings help to reduce the size of the registry file and can prevent a potential inode reuse issue.

`clean_inactive`

Warning

Only use this option if you understand that data loss is a potential side effect.

When this option is enabled, Filebeat removes the state of a file after the specified period of inactivity has elapsed. The state can only be removed if the file is already ignored by Filebeat (the file is older than ignore_older). The clean_inactive setting must be greater than ignore_older scan_frequency to make sure that no states are removed while a file is still being harvested. Otherwise, the setting could result in Filebeat resending the full content constantly because clean_inactive removes state for files that are still detected by Filebeat. If a file is updated or appears again, the file is read from the beginning.

The clean_inactive configuration option is useful to reduce the size of the registry file, especially if a large amount of new files are generated every day.

This config option is also useful to prevent Filebeat problems resulting from inode reuse on Linux. For more information, see Inode reuse causes Filebeat to skip lines.

Note	Every time a file is renamed, the file state is updated and the counter for `clean_inactive` starts at 0 again.

Tip

During testing, you might notice that the registry contains state entries that should be removed based on the clean_inactive setting. This happens because Filebeat doesn’t remove the entries until it opens the registry again to read a different file. If you are testing the clean_inactive setting, make sure Filebeat is configured to read from more than one file, or the file state will never be removed from the registry.

`clean_removed`

When this option is enabled, Filebeat cleans files from the registry if they cannot be found on disk anymore under the last known name. This means also files which were renamed after the harvester was finished will be removed. This option is enabled by default.

If a shared drive disappears for a short period and appears again, all files will be read again from the beginning because the states were removed from the registry file. In such cases, we recommend that you disable the clean_removed option.

You must disable this option if you also disable close_removed.

`scan_frequency`

How often Filebeat checks for new files in the paths that are specified for harvesting. For example, if you specify a glob like /var/log/*, the directory is scanned for files using the frequency specified by scan_frequency. Specify 1s to scan the directory as frequently as possible without causing Filebeat to scan too frequently. We do not recommend to set this value <1s.

If you require log lines to be sent in near real time do not use a very low scan_frequency but adjust close_inactive so the file handler stays open and constantly polls your files.

The default setting is 10s.

`scan.sort`

experimental[]

If you specify a value other than the empty string for this setting you can determine whether to use ascending or descending order using scan.order. Possible values are modtime and filename. To sort by file modification time, use modtime, otherwise use filename. Leave this option empty to disable it.

If you specify a value for this setting, you can use scan.order to configure whether files are scanned in ascending or descending order.

The default setting is disabled.

`scan.order`

experimental[]

Specifies whether to use ascending or descending order when scan.sort is set to a value other than none. Possible values are asc or desc.

The default setting is asc.

`tail_files`

If this option is set to true, Filebeat starts reading new files at the end of each file instead of the beginning. When this option is used in combination with log rotation, it’s possible that the first log entries in a new file might be skipped. The default setting is false.

This option applies to files that Filebeat has not already processed. If you ran Filebeat previously and the state of the file was already persisted, tail_files will not apply. Harvesting will continue at the previous offset. To apply tail_files to all files, you must stop Filebeat and remove the registry file. Be aware that doing this removes ALL previous states.

Note	You can use this setting to avoid indexing old log lines when you run Filebeat on a set of log files for the first time. After the first run, we recommend disabling this option, or you risk losing lines during file rotation.

`symlinks`

The symlinks option allows Filebeat to harvest symlinks in addition to regular files. When harvesting symlinks, Filebeat opens and reads the original file even though it reports the path of the symlink.

When you configure a symlink for harvesting, make sure the original path is excluded. If a single input is configured to harvest both the symlink and the original file, Filebeat will detect the problem and only process the first file it finds. However, if two different inputs are configured (one to read the symlink and the other the original path), both paths will be harvested, causing Filebeat to send duplicate data and the inputs to overwrite each other’s state.

The symlinks option can be useful if symlinks to the log files have additional metadata in the file name, and you want to process the metadata in Logstash. This is, for example, the case for Kubernetes log files.

Because this option may lead to data loss, it is disabled by default.

`backoff`

The backoff options specify how aggressively Filebeat crawls open files for updates. You can use the default values in most cases.

The backoff option defines how long Filebeat waits before checking a file again after EOF is reached. The default is 1s, which means the file is checked every second if new lines were added. This enables near real-time crawling. Every time a new line appears in the file, the backoff value is reset to the initial value. The default is 1s.

`max_backoff`

The maximum time for Filebeat to wait before checking a file again after EOF is reached. After having backed off multiple times from checking the file, the wait time will never exceed max_backoff regardless of what is specified for backoff_factor. Because it takes a maximum of 10s to read a new line, specifying 10s for max_backoff means that, at the worst, a new line could be added to the log file if Filebeat has backed off multiple times. The default is 10s.

Requirement: Set max_backoff to be greater than or equal to backoff and less than or equal to scan_frequency (backoff ⇐ max_backoff ⇐ scan_frequency). If max_backoff needs to be higher, it is recommended to close the file handler instead and let Filebeat pick up the file again.

`backoff_factor`

This option specifies how fast the waiting time is increased. The bigger the backoff factor, the faster the max_backoff value is reached. The backoff factor increments exponentially. The minimum value allowed is 1. If this value is set to 1, the backoff algorithm is disabled, and the backoff value is used for waiting for new lines. The backoff value will be multiplied each time with the backoff_factor until max_backoff is reached. The default is 2.

`harvester_limit`

The harvester_limit option limits the number of harvesters that are started in parallel for one input. This directly relates to the maximum number of file handlers that are opened. The default for harvester_limit is 0, which means there is no limit. This configuration is useful if the number of files to be harvested exceeds the open file handler limit of the operating system.

Setting a limit on the number of harvesters means that potentially not all files are opened in parallel. Therefore we recommended that you use this option in combination with the close_* options to make sure harvesters are stopped more often so that new files can be picked up.

Currently if a new harvester can be started again, the harvester is picked randomly. This means it’s possible that the harvester for a file that was just closed and then updated again might be started instead of the harvester for a file that hasn’t been harvested for a longer period of time.

This configuration option applies per input. You can use this option to indirectly set higher priorities on certain inputs by assigning a higher limit of harvesters.

`file_identity`

Different file_identity methods can be configured to suit the environment where you are collecting log messages.

native: The default behaviour of Filebeat is to differentiate between files using their inodes and device ids.

file_identity.native: ~

path: To identify files based on their paths use this strategy.

Warning

Only use this strategy if your log files are rotated to a folder outside of the scope of your input or not at all. Otherwise you end up with duplicated events.

Warning

This strategy does not support renaming files. If an input file is renamed, Filebeat will read it again if the new path matches the settings of the input.

file_identity.path: ~

inode_marker: If the device id changes from time to time, you must use this method to distinguish files. This option is not supported on Windows.

Set the location of the marker file the following way:

file_identity.inode_marker.path: /logs/.filebeat-marker

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

A list of tags that Filebeat includes in the tags field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.

Example:

filebeat.inputs:
- type: container
  . . .
  tags: ["json"]

`fields`

Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a fields sub-dictionary in the output document. To store the custom fields as top-level fields, set the fields_under_root option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.

filebeat.inputs:
- type: container
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

If this option is set to true, the custom fields are stored as top-level fields in the output document instead of being grouped under a fields sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the raw_index field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use output.elasticsearch.index or a processor.

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc[]

filestream input

filestream

Use the filestream input to read lines from active log files. It is the new, improved alternative to the log input. It comes with various improvements to the existing input:

Checking of close_* options happens out of band. Thus, if an output is blocked, Filebeat can close the reader and avoid keeping too many files open.
Detailed metrics are available for all files that match the paths configuration regardless of the harvester_limit. This way, you can keep track of all files, even ones that are not actively read.
The order of parsers is configurable. So it is possible to parse JSON lines and then aggregate the contents into a multiline event.
Some position updates and metadata changes no longer depend on the publishing pipeline. If the pipeline is blocked some changes are still applied to the registry.
Only the most recent updates are serialized to the registry. In contrast, the log input has to serialize the complete registry on each ACK from the outputs. This makes the registry updates much quicker with this input.
The input ensures that only offsets updates are written to the registry append only log. The log writes the complete file state.
Stale entries can be removed from the registry, even if there is no active input.

To configure this input, specify a list of glob-based paths that must be crawled to locate and fetch the log lines.

Example configuration:

filebeat.inputs:
- type: filestream
  id: my-filestream-id
  paths:
    - /var/log/messages
    - /var/log/*.log

Warning

Each filestream input must have a unique ID. Omitting or changing the filestream ID may cause data duplication. Without a unique ID, filestream is unable to correctly track the state of files.

You can apply additional configuration settings (such as fields, include_lines, exclude_lines and so on) to the lines harvested from these files. The options that you specify are applied to all the files harvested by this input.

To apply different configuration settings to different files, you need to define multiple input sections:

filebeat.inputs:
- type: filestream <1>
  id: my-filestream-id
  paths:
    - /var/log/system.log
    - /var/log/wifi.log
- type: filestream <2>
  id: apache-filestream-id
  paths:
    - "/var/log/apache2/*"
  fields:
    apache: true

Harvests lines from two files: system.log and wifi.log.
Harvests lines from every file in the apache2 directory, and uses the fields configuration option to add a field called apache to the output.

Reading files on network shares and cloud providers

Warning

Filebeat does not support reading from network shares and cloud providers.

However, one of the limitations of these data sources can be mitigated if you configure Filebeat adequately.

By default, Filebeat identifies files based on their inodes and device IDs. However, on network shares and cloud providers these values might change during the lifetime of the file. If this happens Filebeat thinks that file is new and resends the whole content of the file. To solve this problem you can configure file_identity option. Possible values besides the default inode_deviceid are path, inode_marker and fingerprint.

Warning

Changing file_identity methods between runs may result in duplicated events in the output.

Selecting path instructs Filebeat to identify files based on their paths. This is a quick way to avoid rereading files if inode and device ids might change. However, keep in mind if the files are rotated (renamed), they will be reread and resubmitted.

The option inode_marker can be used if the inodes stay the same even if the device id is changed. You should choose this method if your files are rotated instead of path if possible. You have to configure a marker file readable by Filebeat and set the path in the option path of inode_marker.

The content of this file must be unique to the device. You can put the UUID of the device or mountpoint where the input is stored. The following example oneliner generates a hidden marker file for the selected mountpoint /logs: Please note that you should not use this option on Windows as file identifiers might be more volatile.

Selecting fingerprint instructs Filebeat to identify files based on their content byte range.

Warning

In order to use this file identity option, one must enable the fingerprint option in the scanner. Once this file identity is enabled, changing the fingerprint configuration (offset, length, etc) will lead to a global re-ingestion of all files that match the paths configuration of the input.

Please refer to the fingerprint configuration for details.

$ lsblk -o MOUNTPOINT,UUID | grep /logs | awk '{print $2}' >> /logs/.filebeat-marker

To set the generated file as a marker for file_identity you should configure the input the following way:

filebeat.inputs:
- type: filestream
  id: my-filestream-id
  paths:
    - /logs/*.log
  file_identity.inode_marker.path: /logs/.filebeat-marker

Reading from rotating logs

When dealing with file rotation, avoid harvesting symlinks. Instead use the paths setting to point to the original file, and specify a pattern that matches the file you want to harvest and all of its rotated files. Also make sure your log rotation strategy prevents lost or duplicate messages. For more information, see Log rotation results in lost or duplicate events.

Furthermore, to avoid duplicate of rotated log messages, do not use the path method for file_identity. Or exclude the rotated files with exclude_files option.

Prospector options

The prospector is running a file system watcher which looks for files specified in the paths option. At the moment only simple file system scanning is supported.

`id`

A unique identifier for this filestream input. Each filestream input must have a unique ID.

Warning

Changing input ID may cause data duplication because the state of the files will be lost and they will be read from the beginning again.

`paths`

A list of glob-based paths that will be crawled and fetched. All patterns supported by Go Glob are also supported here. For example, to fetch all files from a predefined level of subdirectories, the following pattern can be used: /var/log//.log. This fetches all .log files from the subfolders of /var/log. It does not fetch log files from the /var/log folder itself. It is possible to recursively fetch all files in all subdirectories of a directory using the optional recursive_glob settings.

Filebeat starts a harvester for each file that it finds under the specified paths. You can specify one path per line. Each line begins with a dash (-).

Scanner options

The scanner watches the configured paths. It scans the file system periodically and returns the file system events to the Prospector.

`prospector.scanner.recursive_glob`

Enable expanding into recursive glob patterns. With this feature enabled, the rightmost in each path is expanded into a fixed number of glob patterns. For example: /foo/ expands to /foo, /foo/, /foo//, and so on. If enabled it expands a single into a 8-level deep pattern.

This feature is enabled by default. Set prospector.scanner.recursive_glob to false to disable it.

`prospector.scanner.exclude_files`

A list of regular expressions to match the files that you want Filebeat to ignore. By default no files are excluded.

The following example configures Filebeat to ignore all the files that have a gz extension:

filebeat.inputs:
- type: filestream
  ...
  prospector.scanner.exclude_files: ['\.gz$']

See [regexp-support] for a list of supported regexp patterns.

`prospector.scanner.include_files`

A list of regular expressions to match the files that you want Filebeat to include. If a list of regexes is provided, only the files that are allowed by the patterns are harvested.

By default no files are excluded. This option is the counterpart of prospector.scanner.exclude_files.

The following example configures Filebeat to exclude files that are not under /var/log:

filebeat.inputs:
- type: filestream
  ...
  prospector.scanner.include_files: ['^/var/log/.*']

Note	Patterns should start with `^` in case of absolute paths.

See [regexp-support] for a list of supported regexp patterns.

`prospector.scanner.symlinks`

Because this option may lead to data loss, it is disabled by default.

`prospector.scanner.resend_on_touch`

If this option is enabled a file is resent if its size has not changed but its modification time has changed to a later time than before. It is disabled by default to avoid accidentally resending files.

`prospector.scanner.check_interval`

How often Filebeat checks for new files in the paths that are specified for harvesting. For example, if you specify a glob like /var/log/*, the directory is scanned for files using the frequency specified by check_interval. Specify 1s to scan the directory as frequently as possible without causing Filebeat to scan too frequently. We do not recommend to set this value <1s.

If you require log lines to be sent in near real time do not use a very low check_interval but adjust close.on_state_change.inactive so the file handler stays open and constantly polls your files.

The default setting is 10s.

`prospector.scanner.fingerprint`

Instead of relying on the device ID and inode values when comparing files, compare hashes of the given byte ranges of files.

Enable this option if you’re experiencing data loss or data duplication due to unstable file identifiers provided by the file system.

Following are some scenarios where this can happen:

Some file systems (i.e. in Docker) cache and re-use inodes

for example if you:
1. Create a file (touch x)
2. Check the file’s inode (ls -i x)
3. Delete the file (rm x)
4. Create a new file right away (touch y)
5. Check the inode of the new file (ls -i y)
  
  For both files you might see the same inode value despite even having different filenames.
Non-Ext file systems can change inodes:

Ext file systems store the inode number in the i_ino file, inside a struct inode, which is written to disk. In this case, if the file is the same (not another file with the same name) then the inode number is guaranteed to be the same.

If the file system is other than Ext, the inode number is generated by the inode operations defined by the file system driver. As they don’t have the concept of what an inode is, they have to mimic all of the inode’s internal fields to comply with VFS, so this number will probably be different after a reboot, even after closing and opening the file again (theoretically).
Some file processing tools change inode values

Sometimes users unintentionally change inodes by using tools like rsync or sed.
Some operating systems change device IDs after reboot

Depending on a mounting approach, the device ID (which is also used for comparing files) might change after a reboot.

Configuration

Fingerprint mode is disabled by default.

Warning

Enabling fingerprint mode delays ingesting new files until they grow to at least offset+length bytes in size, so they can be fingerprinted. Until then these files are ignored.

Normally, log lines contain timestamps and other unique fields that should be able to use the fingerprint mode, but in every use-case users should inspect their logs to determine what are the appropriate values for the offset and length parameters. Default offset is 0 and default length is 1024 or 1 KB. length cannot be less than 64.

fingerprint:
  enabled: false
  offset: 0
  length: 1024

`ignore_older`

You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 0, which disables the setting. Commenting out the config has the same effect as setting it to 0.

Important

You must set ignore_older to be greater than close.on_state_change.inactive.

The files affected by this setting fall into two categories:

Files that were never harvested
Files that were harvested but weren’t updated for longer than ignore_older

For files which were never seen before, the offset state is set to the end of the file. If a state already exists, the offset is reset to the size of the file. If a file is updated again later, reading continues at the set offset position.

To remove the state of previously harvested files from the registry file, use the clean_inactive configuration option.

If a file that’s currently being harvested falls under ignore_older, the harvester will first finish reading the file and close it after close.on_state_change.inactive is reached. Then, after that, the file will be ignored.

`ignore_inactive`

If this option is enabled, Filebeat ignores every file that has not been updated since the selected time. Possible options are since_first_start and since_last_start. The first option ignores every file that has not been updated since the first start of Filebeat. It is useful when the Beat might be restarted due to configuration changes or a failure. The second option tells the Beat to read from files that have been updated since its start.

The files affected by this setting fall into two categories:

Files that were never harvested
Files that were harvested but weren’t updated since ignore_inactive.

For files that were never seen before, the offset state is set to the end of the file. If a state already exist, the offset is not changed. In case a file is updated again later, reading continues at the set offset position.

The setting relies on the modification time of the file to determine if a file is ignored. If the modification time of the file is not updated when lines are written to a file (which can happen on Windows), the setting may cause Filebeat to ignore files even though content was added at a later time.

To remove the state of previously harvested files from the registry file, use the clean_inactive configuration option.

`take_over`

If take_over is set to true, this filestream will take over all files from log inputs if they match at least one of the paths set in the filestream.

Important

take_over: true requires the filestream to have a unique ID.

This take over mode was created to enable smooth migration from deprecated log inputs to the new filestream inputs.

See Migrate log input configurations to filestream for more details about the migration process.

Warning

The take over mode is still in beta, however, it’s manually reversible due to backups created in the registry.path/filebeat directory and should be generally safe to use.

`close.*`

The close.* configuration options are used to close the harvester after a certain criteria or time. Closing the harvester means closing the file handler. If a file is updated after the harvester is closed, the file will be picked up again after prospector.scanner.check_interval has elapsed. However, if the file is moved or deleted while the harvester is closed, Filebeat will not be able to pick up the file again, and any data that the harvester hasn’t read will be lost.

The close.on_state_change.* settings are applied asynchronously to read from a file, meaning that if Filebeat is in a blocked state due to blocked output, full queue or other issue, a file that would be closed regardless.

`close.on_state_change.inactive`

We recommended that you set close.on_state_change.inactive to a value that is larger than the least frequent updates to your log files. For example, if your log files get updated every few seconds, you can safely set close.on_state_change.inactive to 1m. If there are log files with very different update rates, you can use multiple configurations with different values.

Setting close.on_state_change.inactive to a lower value means that file handles are closed sooner. However this has the side effect that new log lines are not sent in near real time if the harvester is closed.

The timestamp for closing a file does not depend on the modification time of the file. Instead, Filebeat uses an internal timestamp that reflects when the file was last harvested. For example, if close.on_state_change.inactive is set to 5 minutes, the countdown for the 5 minutes starts after the harvester reads the last line of the file.

You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 5m.

`close.on_state_change.renamed`

Warning

Only use this option if you understand that data loss is a potential side effect.

When this option is enabled, Filebeat closes the file handler when a file is renamed. This happens, for example, when rotating files. By default, the harvester stays open and keeps reading the file because the file handler does not depend on the file name. If the close.on_state_change.renamed option is enabled and the file is renamed or moved in such a way that it’s no longer matched by the file patterns specified for the , the file will not be picked up again. Filebeat will not finish reading the file.

Do not use this option when path based file_identity is configured. It does not make sense to enable the option, as Filebeat cannot detect renames using path names as unique identifiers.

WINDOWS: If your Windows log rotation system shows errors because it can’t rotate the files, you should enable this option.

`close.on_state_change.removed`

When this option is enabled, Filebeat closes the harvester when a file is removed. Normally a file should only be removed after it’s inactive for the duration specified by close.on_state_change.inactive. However, if a file is removed early and you don’t enable close.on_state_change.removed, Filebeat keeps the file open to make sure the harvester has completed. If this setting results in files that are not completely read because they are removed from disk too early, disable this option.

This option is enabled by default. If you disable this option, you must also disable clean_removed.

WINDOWS: If your Windows log rotation system shows errors because it can’t rotate files, make sure this option is enabled.

`close.reader.on_eof`

Warning

Only use this option if you understand that data loss is a potential side effect.

`close.reader.after_interval`

Warning

Only use this option if you understand that data loss is a potential side effect. Another side effect is that multiline events might not be completely sent before the timeout expires.

When this option is enabled, Filebeat gives every harvester a predefined lifetime. Regardless of where the reader is in the file, reading will stop after the close.reader.after_interval period has elapsed. This option can be useful for older log files when you want to spend only a predefined amount of time on the files. While close.reader.after_interval will close the file after the predefined timeout, if the file is still being updated, Filebeat will start a new harvester again per the defined prospector.scanner.check_interval. And the close.reader.after_interval for this harvester will start again with the countdown for the timeout.

This option is particularly useful in case the output is blocked, which makes Filebeat keep open file handlers even for files that were deleted from the disk. Setting close.reader.after_interval to 5m ensures that the files are periodically closed so they can be freed up by the operating system.

If you set close.reader.after_interval to equal ignore_older, the file will not be picked up if it’s modified while the harvester is closed. This combination of settings normally leads to data loss, and the complete file is not sent.

When you use close.reader.after_interval for logs that contain multiline events, the harvester might stop in the middle of a multiline event, which means that only parts of the event will be sent. If the harvester is started again and the file still exists, only the second part of the event will be sent.

This option is set to 0 by default which means it is disabled.

`clean_*`

The clean_* options are used to clean up the state entries in the registry file. These settings help to reduce the size of the registry file and can prevent a potential inode reuse issue.

`clean_inactive`

Warning

Only use this option if you understand that data loss is a potential side effect.

When this option is enabled, Filebeat removes the state of a file after the specified period of inactivity has elapsed. The state can only be removed if the file is already ignored by Filebeat (the file is older than ignore_older). The clean_inactive setting must be greater than ignore_older prospector.scanner.check_interval to make sure that no states are removed while a file is still being harvested. Otherwise, the setting could result in Filebeat resending the full content constantly because clean_inactive removes state for files that are still detected by Filebeat. If a file is updated or appears again, the file is read from the beginning.

The clean_inactive configuration option is useful to reduce the size of the registry file, especially if a large amount of new files are generated every day.

This config option is also useful to prevent Filebeat problems resulting from inode reuse on Linux. For more information, see Inode reuse causes Filebeat to skip lines.

Note	Every time a file is renamed, the file state is updated and the counter for `clean_inactive` starts at 0 again.

Tip

`clean_removed`

You must disable this option if you also disable close.on_state_change.removed.

`backoff.*`

The backoff options specify how aggressively Filebeat crawls open files for updates. You can use the default values in most cases.

`backoff.init`

The backoff.init option defines how long Filebeat waits for the first time before checking a file again after EOF is reached. The backoff intervals increase exponentially. The default is 2s. Thus, the file is checked after 2 seconds, then 4 seconds, then 8 seconds and so on until it reaches the limit defined in backoff.max. Every time a new line appears in the file, the backoff.init value is reset to the initial value.

`backoff.max`

The maximum time for Filebeat to wait before checking a file again after EOF is reached. After having backed off multiple times from checking the file, the wait time will never exceed backoff.max. Because it takes a maximum of 10s to read a new line, specifying 10s for backoff.max means that, at the worst, a new line could be added to the log file if Filebeat has backed off multiple times. The default is 10s.

Requirement: Set backoff.max to be greater than or equal to backoff.init and less than or equal to prospector.scanner.check_interval (backoff.init ⇐ backoff.max ⇐ prospector.scanner.check_interval). If backoff.max needs to be higher, it is recommended to close the file handler instead and let Filebeat pick up the file again.

`file_identity`

Different file_identity methods can be configured to suit the environment where you are collecting log messages.

Warning

Changing file_identity methods between runs may result in duplicated events in the output.

native: The default behaviour of Filebeat is to differentiate between files using their inodes and device ids.

file_identity.native: ~

path: To identify files based on their paths use this strategy.

Warning

Only use this strategy if your log files are rotated to a folder outside of the scope of your input or not at all. Otherwise you end up with duplicated events.

Warning

This strategy does not support renaming files. If an input file is renamed, Filebeat will read it again if the new path matches the settings of the input.

file_identity.path: ~

inode_marker: If the device id changes from time to time, you must use this method to distinguish files. This option is not supported on Windows.

Set the location of the marker file the following way:

file_identity.inode_marker.path: /logs/.filebeat-marker

fingerprint: To identify files based on their content byte range.

Warning

In order to use this file identity option, you must enable the fingerprint option in the scanner. Once this file identity is enabled, changing the fingerprint configuration (offset, length, or other settings) will lead to a global re-ingestion of all files that match the paths configuration of the input.

Please refer to the fingerprint configuration for details.

file_identity.fingerprint: ~

Log rotation

As log files are constantly written, they must be rotated and purged to prevent the logger application from filling up the disk. Rotation is done by an external application, thus, Filebeat needs information how to cooperate with it.

When reading from rotating files make sure the paths configuration includes both the active file and all rotated files.

By default, Filebeat is able to track files correctly in the following strategies: * create: new active file with a unique name is created on rotation * rename: rotated files are renamed

However, in case of copytruncate strategy, you should provide additional configuration to Filebeat.

rotation.external.strategy.copytruncate

experimental[]

If the log rotating application copies the contents of the active file and then truncates the original file, use these options to help Filebeat to read files correctly.

Set the option suffix_regex so Filebeat can tell active and rotated files apart. There are two supported suffix types in the input: numberic and date.

Numeric suffix

If your rotated files have an incrementing index appended to the end of the filename, e.g. active file apache.log and the rotated files are named apache.log.1, apache.log.2, etc, use the following configuration.

---
rotation.external.strategy.copytruncate:
  suffix_regex: \.\d$
---

Date suffix

If the rotation date is appended to the end of the filename, e.g. active file apache.log and the rotated files are named apache.log-20210526, apache.log-20210527, etc. use the following configuration:

---
rotation.external.strategy.copytruncate:
  suffix_regex: \-\d{6}$
  dateformat: -20060102
---

`encoding`

The file encoding to use for reading data that contains international characters. See the encoding names recommended by the W3C for use in HTML5.

Valid encodings:

plain: plain ASCII encoding
utf-8 or utf8: UTF-8 encoding
gbk: simplified Chinese charaters
iso8859-6e: ISO8859-6E, Latin/Arabic
iso8859-6i: ISO8859-6I, Latin/Arabic
iso8859-8e: ISO8859-8E, Latin/Hebrew
iso8859-8i: ISO8859-8I, Latin/Hebrew
iso8859-1: ISO8859-1, Latin-1
iso8859-2: ISO8859-2, Latin-2
iso8859-3: ISO8859-3, Latin-3
iso8859-4: ISO8859-4, Latin-4
iso8859-5: ISO8859-5, Latin/Cyrillic
iso8859-6: ISO8859-6, Latin/Arabic
iso8859-7: ISO8859-7, Latin/Greek
iso8859-8: ISO8859-8, Latin/Hebrew
iso8859-9: ISO8859-9, Latin-5
iso8859-10: ISO8859-10, Latin-6
iso8859-13: ISO8859-13, Latin-7
iso8859-14: ISO8859-14, Latin-8
iso8859-15: ISO8859-15, Latin-9
iso8859-16: ISO8859-16, Latin-10
cp437: IBM CodePage 437
cp850: IBM CodePage 850
cp852: IBM CodePage 852
cp855: IBM CodePage 855
cp858: IBM CodePage 858
cp860: IBM CodePage 860
cp862: IBM CodePage 862
cp863: IBM CodePage 863
cp865: IBM CodePage 865
cp866: IBM CodePage 866
ebcdic-037: IBM CodePage 037
ebcdic-1040: IBM CodePage 1140
ebcdic-1047: IBM CodePage 1047
koi8r: KOI8-R, Russian (Cyrillic)
koi8u: KOI8-U, Ukranian (Cyrillic)
macintosh: Macintosh encoding
macintosh-cyrillic: Macintosh Cyrillic encoding
windows1250: Windows1250, Central and Eastern European
windows1251: Windows1251, Russian, Serbian (Cyrillic)
windows1252: Windows1252, Legacy
windows1253: Windows1253, Modern Greek
windows1254: Windows1254, Turkish
windows1255: Windows1255, Hebrew
windows1256: Windows1256, Arabic
windows1257: Windows1257, Estonian, Latvian, Lithuanian
windows1258: Windows1258, Vietnamese
windows874: Windows874, ISO/IEC 8859-11, Latin/Thai
utf-16-bom: UTF-16 with required BOM
utf-16be-bom: big endian UTF-16 with required BOM
utf-16le-bom: little endian UTF-16 with required BOM

The plain encoding is special, because it does not validate or transform any input.

`exclude_lines`

The following example configures Filebeat to drop any lines that start with DBG.

filebeat.inputs:
- type: filestream
  ...
  exclude_lines: ['^DBG']

See [regexp-support] for a list of supported regexp patterns.

`include_lines`

The following example configures Filebeat to export any lines that start with ERR or WARN:

filebeat.inputs:
- type: filestream
  ...
  include_lines: ['^ERR', '^WARN']

Note

The following example exports all log lines that contain sometext, except for lines that begin with DBG (debug messages):

filebeat.inputs:
- type: filestream
  ...
  include_lines: ['sometext']
  exclude_lines: ['^DBG']

See [regexp-support] for a list of supported regexp patterns.

`buffer_size`

The size in bytes of the buffer that each harvester uses when fetching a file. The default is 16384.

`message_max_bytes`

The maximum number of bytes that a single log message can have. All bytes after message_max_bytes are discarded and not sent. The default is 10MB (10485760).

`parsers`

This option expects a list of parsers that the log line has to go through.

Available parsers:

multiline
ndjson
container
syslog

In this example, Filebeat is reading multiline messages that consist of 3 lines and are encapsulated in single-line JSON objects. The multiline message is stored under the key msg.

filebeat.inputs:
- type: filestream
  ...
  parsers:
    - ndjson:
        target: ""
        message_key: msg
    - multiline:
        type: count
        count_lines: 3

See the available parser settings in detail below.

`multiline`

Options that control how Filebeat deals with log messages that span multiple lines. See Manage multiline messages for more information about configuring multiline options.

`ndjson`

These options make it possible for Filebeat to decode logs structured as JSON messages. Filebeat processes the logs line by line, so the JSON decoding only works if there is one JSON object per message.

The decoding happens before line filtering. You can combine JSON decoding with filtering if you set the message_key option. This can be helpful in situations where the application logs are wrapped in JSON objects, like when using Docker.

Example configuration:

- ndjson:
    target: ""
    add_error_key: true
    message_key: log

target: The name of the new JSON object that should contain the parsed key value pairs. If you leave it empty, the new keys will go under root.
overwrite_keys: Values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts. Disable it if you want to keep previously added values.
expand_keys: If this setting is enabled, Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. For example, {"a.b.c": 123} would be expanded into {"a":{"b":{"c":123}}}. This setting should be enabled when the input is produced by an ECS logger.
add_error_key: If this setting is enabled, Filebeat adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors or when a message_key is defined in the configuration but cannot be used.
message_key: An optional configuration setting that specifies a JSON key on which to apply the line filtering and multiline settings. If specified the key must be at the top level in the JSON object and the value associated with the key must be a string, otherwise no filtering or multiline aggregation will occur.
document_id: Option configuration setting that specifies the JSON key to set the document id. If configured, the field will be removed from the original JSON document and stored in @metadata._id
ignore_decoding_error: An optional configuration setting that specifies if JSON decoding errors should be logged or not. If set to true, errors will not be logged. The default is false.

`container`

Use the container parser to extract information from containers log files. It parses lines into common message lines, extracting timestamps too.

stream: Reads from the specified streams only: all, stdout or stderr. The default is all.
format: Use the given format when parsing logs: auto, docker or cri. The default is auto, it will automatically detect the format. To disable autodetection set any of the other options.

The following snippet configures Filebeat to read the stdout stream from all containers under the default Kubernetes logs path:

  paths:
    - "/var/log/containers/*.log"
  parsers:
    - container:
        stream: stdout

`syslog`

The syslog parser parses RFC 3146 and/or RFC 5424 formatted syslog messages.

The supported configuration options are:

format: (Optional) The syslog format to use, rfc3164, or rfc5424. To automatically detect the format from the log entries, set this option to auto. The default is auto.
timezone: (Optional) IANA time zone name(e.g. America/New York) or a fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain a time zone. Local may be specified to use the machine’s local time zone. Defaults to Local.
log_errors: (Optional) If true the parser will log syslog parsing errors. Defaults to false.
add_error_key: (Optional) If this setting is enabled, the parser adds or appends to an error.message key with the parsing error that was encountered. Defaults to true.

Example configuration:

- syslog:
    format: rfc3164
    timezone: America/Chicago
    log_errors: true
    add_error_key: true

Timestamps

The RFC 3164 format accepts the following forms of timestamps:

Local timestamp (Mmm dd hh:mm:ss):
- Jan 23 14:09:01
RFC-3339*:
- 2003-10-11T22:14:15Z
- 2003-10-11T22:14:15.123456Z
- 2003-10-11T22:14:15-06:00
- 2003-10-11T22:14:15.123456-06:00

Note: The local timestamp (for example, Jan 23 14:09:01) that accompanies an RFC 3164 message lacks year and time zone information. The time zone will be enriched using the timezone configuration option, and the year will be enriched using the Filebeat system’s local time (accounting for time zones). Because of this, it is possible for messages to appear in the future. An example of when this might happen is logs generated on December 31 2021 are ingested on January 1 2022. The logs would be enriched with the year 2022 instead of 2021.

The RFC 5424 format accepts the following forms of timestamps:

RFC-3339:
- 2003-10-11T22:14:15Z
- 2003-10-11T22:14:15.123456Z
- 2003-10-11T22:14:15-06:00
- 2003-10-11T22:14:15.123456-06:00

Formats with an asterisk (*) are a non-standard allowance.

`include_message`

Use the include_message parser to filter messages in the parsers pipeline. Messages that match the provided pattern are passed to the next parser, the others are dropped.

You should use include_message instead of include_lines if you would like to control when the filtering happens. include_lines runs after the parsers, include_message runs in the parsers pipeline.

patterns: List of regexp patterns to match.

This example shows you how to include messages that start with the string ERR or WARN:

  paths:
    - "/var/log/containers/*.log"
  parsers:
    - include_message.patterns: ["^ERR", "^WARN"]

Metrics

This input exposes metrics under the HTTP monitoring endpoint. These metrics are exposed under the /inputs path. They can be used to observe the activity of the input.

Metric Description

Metric	Description
`files_opened_total`	Total number of files opened.
`files_closed_total`	Total number of files closed.
`files_active`	Number of files currently open (gauge).
`messages_read_total`	Total number of messages read.
`bytes_processed_total`	Total number of bytes processed.
`events_processed_total`	Total number of events processed.
`processing_errors_total`	Total number of processing errors.
`processing_time`	Histogram of the elapsed time to process messages (expressed in nanoseconds).

files_opened_total

Total number of files opened.

files_closed_total

Total number of files closed.

files_active

Number of files currently open (gauge).

messages_read_total

Total number of messages read.

bytes_processed_total

Total number of bytes processed.

events_processed_total

Total number of events processed.

processing_errors_total

Total number of processing errors.

processing_time

Histogram of the elapsed time to process messages (expressed in nanoseconds).

Note:

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

Example:

filebeat.inputs:
- type: filestream
  . . .
  tags: ["json"]

`fields`

filebeat.inputs:
- type: filestream
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-gcp-pubsub.asciidoc[]

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc[]

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-httpjson.asciidoc[]

Journald input

journald

experimental[]

journald is a system service that collects and stores logging data. The journald input reads this log data and the metadata associated with it.

The simplest configuration example is one that reads all logs from the default journal.

filebeat.inputs:
- type: journald
  id: everything

You may wish to have separate inputs for each service. You can use include_matches to specify filtering expressions. A good way to list the journald fields that are available for filtering messages is to run journalctl -o json to output logs and metadata as JSON. This example collects logs from the vault.service systemd unit.

filebeat.inputs:
- type: journald
  id: service-vault
  include_matches.match:
    - _SYSTEMD_UNIT=vault.service

This example collects kernel logs where the message begins with iptables. Note that include_matches is more efficient than Beat processors because that are applied before the data is passed to the Filebeat so prefer them where possible.

filebeat.inputs:
- type: journald
  id: iptables
  include_matches.match:
    - _TRANSPORT=kernel
  processors:
    - drop_event:
        when.not.regexp.message: '^iptables'

Each example adds the id for the input to ensure the cursor is persisted to the registry with a unique ID. The ID should be unique among journald inputs. If you don’t specify and id then one is created for you by hashing the configuration. So when you modify the config this will result in a new ID and a fresh cursor.

Configuration options

The journald input supports the following configuration options plus the Common options described later.

`id`

An optional unique identifier for the input. By providing a unique id you can operate multiple inputs on the same journal. This allows each input’s cursor to be persisted independently in the registry file.

filebeat.inputs:
- type: journald
  id: consul.service
  include_matches:
    - _SYSTEMD_UNIT=consul.service

- type: journald
  id: vault.service
  include_matches:
    - _SYSTEMD_UNIT=vault.service

`paths`

A list of paths that will be crawled and fetched. Each path can be a directory path (to collect events from all journals in a directory), or a file path. If you specify a directory, Filebeat merges all journals under the directory into a single journal and reads them.

If no paths are specified, Filebeat reads from the default journal.

`backoff`

The number of seconds to wait before trying to read again from journals. The default is 1s.

`max_backoff`

The maximum number of seconds to wait before attempting to read again from journals. The default is 60s.

`seek`

The position to start reading the journal from. Valid settings are:

head: Starts reading at the beginning of the journal. After a restart, Filebeat resends all log messages in the journal.
tail: Starts reading at the end of the journal. This means that no events will be sent until a new message is written.
cursor: On first read, starts reading at the beginning of the journal. After a reload or restart, continues reading at the last known position.
since: Use the since option to determine where to start reading from.

If you have old log files and want to skip lines, start Filebeat with seek: tail specified. Then stop Filebeat, set seek: cursor, and restart Filebeat.

`cursor_seek_fallback`

The position to start reading the journal from if no cursor information is available. Valid options are head, tail and since.

`since`

A time offset from the current time to start reading from. To use since, either the seek option must be set to since, or the seek mode must be set to cursor and the cursor_seek_fallback set to since.

This example demonstrates how to resume from the persisted cursor when it exists, or otherwise begin reading logs from the last 24 hours.

seek: cursor
cursor_seek_fallback: since
since: -24h

`units`

Iterate only the entries of the units specified in this option. The iterated entries include messages from the units, messages about the units by authorized daemons and coredumps. However, it does not match systemd user units.

`syslog_identifiers`

Read only the entries with the selected syslog identifiers.

`transports`

Collect the messages using the specified transports. Example: syslog.

Valid transports:

audit: messages from the kernel audit subsystem
driver: internally generated messages
syslog: messages received via the local syslog socket with the syslog protocol
journal: messages received via the native journal protocol
stdout: messages from a service’s standard output or error output
kernel: messages from the kernel

`include_matches`

A collection of filter expressions used to match fields. The format of the expression is field=value. Filebeat fetches all events that exactly match the expressions. Pattern matching is not supported.

If you configured a filter expression, only entries with this field set will be iterated by the journald reader of Filebeat. If the filter expressions apply to different fields, only entries with all fields set will be iterated. If they apply to the same fields, only entries where the field takes one of the specified values will be iterated.

match: List of filter expressions to match fields. or: The filter expressions listed under or are connected with a disjunction (or). and: The filter expressions listed under and are connected with a conjunction (and).

Please note that these expressions are limited. You can build complex filtering, but full logical expressions are not supported.

The following include matches configuration reads all systemd syslog entries:

include_matches.and:
- match:
  - "journald.process.name=systemd"
  - "systemd.transport=syslog"

To reference fields, use one of the following:

The field name used by the systemd journal. For example, CONTAINER_TAG=redis.
The translated field name used by Filebeat. For example, container.image.tag=redis. Filebeat does not translate all fields from the journal. For custom fields, use the name specified in the systemd journal.

Translated field names

You can use the following translated names in filter expressions to reference journald fields:

Journald field name	Translated name
`COREDUMP_UNIT`	`journald.coredump.unit`
`COREDUMP_USER_UNIT`	`journald.coredump.user_unit`
`OBJECT_AUDIT_LOGINUID`	`journald.object.audit.login_uid`
`OBJECT_AUDIT_SESSION`	`journald.object.audit.session`
`OBJECT_CMDLINE`	`journald.object.cmd`
`OBJECT_COMM`	`journald.object.name`
`OBJECT_EXE`	`journald.object.executable`
`OBJECT_GID`	`journald.object.gid`
`OBJECT_PID`	`journald.object.pid`
`OBJECT_SYSTEMD_OWNER_UID`	`journald.object.systemd.owner_uid`
`OBJECT_SYSTEMD_SESSION`	`journald.object.systemd.session`
`OBJECT_SYSTEMD_UNIT`	`journald.object.systemd.unit`
`OBJECT_SYSTEMD_USER_UNIT`	`journald.object.systemd.user_unit`
`OBJECT_UID`	`journald.object.uid`
`_AUDIT_LOGINUID`	`process.audit.login_uid`
`_AUDIT_SESSION`	`process.audit.session`
`_BOOT_ID`	`host.boot_id`
`_CAP_EFFECTIVE`	`process.capabilites`
`_CMDLINE`	`process.cmd`
`_CODE_FILE`	`journald.code.file`
`_CODE_FUNC`	`journald.code.func`
`_CODE_LINE`	`journald.code.line`
`_COMM`	`process.name`
`_EXE`	`process.executable`
`_GID`	`process.uid`
`_HOSTNAME`	`host.name`
`_KERNEL_DEVICE`	`journald.kernel.device`
`_KERNEL_SUBSYSTEM`	`journald.kernel.subsystem`
`_MACHINE_ID`	`host.id`
`_MESSAGE`	`message`
`_PID`	`process.pid`
`_PRIORITY`	`syslog.priority`
`_SYSLOG_FACILITY`	`syslog.facility`
`_SYSLOG_IDENTIFIER`	`syslog.identifier`
`_SYSLOG_PID`	`syslog.pid`
`_SYSTEMD_CGROUP`	`systemd.cgroup`
`_SYSTEMD_INVOCATION_ID`	`systemd.invocation_id`
`_SYSTEMD_OWNER_UID`	`systemd.owner_uid`
`_SYSTEMD_SESSION`	`systemd.session`
`_SYSTEMD_SLICE`	`systemd.slice`
`_SYSTEMD_UNIT`	`systemd.unit`
`_SYSTEMD_USER_SLICE`	`systemd.user_slice`
`_SYSTEMD_USER_UNIT`	`systemd.user_unit`
`_TRANSPORT`	`systemd.transport`
`_UDEV_DEVLINK`	`journald.kernel.device_symlinks`
`_UDEV_DEVNODE`	`journald.kernel.device_node_path`
`_UDEV_SYSNAME`	`journald.kernel.device_name`
`_UID`	`process.uid`

The following translated fields for Docker are also available:

`CONTAINER_ID`	`container.id_truncated`
`CONTAINER_ID_FULL`	`container.id`
`CONTAINER_NAME`	`container.name`
`CONTAINER_PARTIAL_MESSAGE`	`container.partial`
`CONTAINER_TAG`	`container.image.tag`

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

Example:

filebeat.inputs:
- type: journald
  . . .
  tags: ["json"]

`fields`

filebeat.inputs:
- type: journald
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

Kafka input

Kafka

Use the kafka input to read from topics in a Kafka cluster.

To configure this input, specify a list of one or more hosts in the cluster to bootstrap the connection with, a list of topics to track, and a group_id for the connection.

Example configuration:

filebeat.inputs:
- type: kafka
  hosts:
    - kafka-broker-1:9092
    - kafka-broker-2:9092
  topics: ["my-topic"]
  group_id: "filebeat"

The following example shows how to use the kafka input to ingest data from Microsoft Azure Event Hubs that have Kafka compatibility enabled:

filebeat.inputs:
- type: kafka
  hosts: [".servicebus.windows.net:9093"]
  topics: [""]
  group_id: ""

  username: "$ConnectionString"
  password: ""
  ssl.enabled: true

For more details on the mapping between Kafka and Event Hubs configuration parameters, see the Azure documentation.

Compatibility

This input works with all Kafka versions in between 0.11 and 2.8.0. Older versions might work as well, but are not supported.

Configuration options

The kafka input supports the following configuration options plus the Common options described later.

`hosts`

A list of Kafka bootstrapping hosts (brokers) for this cluster.

`topics`

A list of topics to read from.

`group_id`

The Kafka consumer group id.

`client_id`

The Kafka client id (optional).

`version`

The version of the Kafka protocol to use (defaults to "1.0.0").

`initial_offset`

The initial offset to start reading, either "oldest" or "newest". Defaults to "oldest".

`connect_backoff`

How long to wait before trying to reconnect to the kafka cluster after a fatal error. Default is 30s.

`consume_backoff`

How long to wait before retrying a failed read. Default is 2s.

`max_wait_time`

How long to wait for the minimum number of input bytes while reading. Default is 250ms.

`wait_close`

When shutting down, how long to wait for in-flight messages to be delivered and acknowledged.

`isolation_level`

This configures the Kafka group isolation level:

"read_uncommitted" returns all messages in the message channel.
"read_committed" hides messages that are part of an aborted transaction.

The default is "read_uncommitted".

`fetch`

Kafka fetch settings:

min: The minimum number of bytes to wait for. Defaults to 1.
default: The default number of bytes to read per request. Defaults to 1MB.
max: The maximum number of bytes to read per request. Defaults to 0 (no limit).

`expand_event_list_from_field`

If the fileset using this input expects to receive multiple messages bundled under a specific field then the config option expand_event_list_from_field value can be assigned the name of the field. For example in the case of azure filesets the events are found under the json object "records".

{
"records": [ {event1}, {event2}]
}

This setting will be able to split the messages under the group value ('records') into separate events.

`rebalance`

Kafka rebalance settings:

strategy: Either "range" or "roundrobin". Defaults to "range".
timeout: How long to wait for an attempted rebalance. Defaults to 60s.
max_retries: How many times to retry if rebalancing fails. Defaults to 4.
retry_backoff: How long to wait after an unsuccessful rebalance attempt. Defaults to 2s.

`sasl.mechanism`

The SASL mechanism to use when connecting to Kafka. It can be one of:

PLAIN for SASL/PLAIN.
SCRAM-SHA-256 for SCRAM-SHA-256.
SCRAM-SHA-512 for SCRAM-SHA-512.

If sasl.mechanism is not set, PLAIN is used if username and password are provided. Otherwise, SASL authentication is disabled.

To use GSSAPI mechanism to authenticate with Kerberos, you must leave this field empty, and use the [kerberos-option-kafka] options.

`kerberos`

beta[]

Configuration options for Kerberos authentication.

See [configuration-kerberos] for more information.

`parsers`

This option expects a list of parsers that the payload has to go through.

Available parsers:

ndjson
multiline

`ndjson`

These options make it possible for Filebeat to decode the payload as JSON messages.

Example configuration:

- ndjson:
  target: ""
  add_error_key: true
  message_key: log

target: The name of the new JSON object that should contain the parsed key value pairs. If you leave it empty, the new keys will go under root.
overwrite_keys: Values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts. Disable it if you want to keep previously added values.
expand_keys: If this setting is enabled, Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. For example, {"a.b.c": 123} would be expanded into {"a":{"b":{"c":123}}}. This setting should be enabled when the input is produced by an ECS logger.
add_error_key: If this setting is enabled, Filebeat adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors or when a message_key is defined in the configuration but cannot be used.
message_key: An optional configuration setting that specifies a JSON key on which to apply the line filtering and multiline settings. If specified the key must be at the top level in the JSON object and the value associated with the key must be a string, otherwise no filtering or multiline aggregation will occur.
document_id: Option configuration setting that specifies the JSON key to set the document id. If configured, the field will be removed from the original JSON document and stored in @metadata._id
ignore_decoding_error: An optional configuration setting that specifies if JSON decoding errors should be logged or not. If set to true, errors will not be logged. The default is false.

`multiline`

Options that control how Filebeat deals with log messages that span multiple lines. See Manage multiline messages for more information about configuring multiline options.

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

Example:

filebeat.inputs:
- type: kafka
  . . .
  tags: ["json"]

`fields`

filebeat.inputs:
- type: kafka
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

Log input

deprecated:[7.16.0]

The log input is deprecated. Please use the the filestream input for sending log files to outputs.

Log

Use the log input to read lines from log files.

To configure this input, specify a list of glob-based paths that must be crawled to locate and fetch the log lines.

Example configuration:

filebeat.inputs:
- type: log
  paths:
    - /var/log/messages
    - /var/log/*.log

You can apply additional configuration settings (such as fields, include_lines, exclude_lines, multiline, and so on) to the lines harvested from these files. The options that you specify are applied to all the files harvested by this input.

To apply different configuration settings to different files, you need to define multiple input sections:

filebeat.inputs:
- type: log <1>
  paths:
    - /var/log/system.log
    - /var/log/wifi.log
- type: log <2>
  paths:
    - "/var/log/apache2/*"
  fields:
    apache: true
  fields_under_root: true

Harvests lines from two files: system.log and wifi.log.
Harvests lines from every file in the apache2 directory, and uses the fields configuration option to add a field called apache to the output.

Important

Make sure a file is not defined more than once across all inputs because this can lead to unexpected behaviour.

Reading files on network shares and cloud providers

Warning

Filebeat does not support reading from network shares and cloud providers.

However, one of the limitations of these data sources can be mitigated if you configure Filebeat adequately.

$ lsblk -o MOUNTPOINT,UUID | grep /logs | awk '{print $2}' >> /logs/.filebeat-marker

To set the generated file as a marker for file_identity you should configure the input the following way:

filebeat.inputs:
- type: log
  paths:
    - /logs/*.log
  file_identity.inode_marker.path: /logs/.filebeat-marker

Reading from rotating logs

Furthermore, to avoid duplicate of rotated log messages, do not use the path method for file_identity. Or exclude the rotated files with exclude_files option.

Configuration options

The log input supports the following configuration options plus the Common options described later.

`paths`

Filebeat starts a harvester for each file that it finds under the specified paths. You can specify one path per line. Each line begins with a dash (-).

`recursive_glob.enabled`

This feature is enabled by default. Set recursive_glob.enabled to false to disable it.

`encoding`

The file encoding to use for reading data that contains international characters. See the encoding names recommended by the W3C for use in HTML5.

Valid encodings:

plain: plain ASCII encoding
utf-8 or utf8: UTF-8 encoding
gbk: simplified Chinese charaters
iso8859-6e: ISO8859-6E, Latin/Arabic
iso8859-6i: ISO8859-6I, Latin/Arabic
iso8859-8e: ISO8859-8E, Latin/Hebrew
iso8859-8i: ISO8859-8I, Latin/Hebrew
iso8859-1: ISO8859-1, Latin-1
iso8859-2: ISO8859-2, Latin-2
iso8859-3: ISO8859-3, Latin-3
iso8859-4: ISO8859-4, Latin-4
iso8859-5: ISO8859-5, Latin/Cyrillic
iso8859-6: ISO8859-6, Latin/Arabic
iso8859-7: ISO8859-7, Latin/Greek
iso8859-8: ISO8859-8, Latin/Hebrew
iso8859-9: ISO8859-9, Latin-5
iso8859-10: ISO8859-10, Latin-6
iso8859-13: ISO8859-13, Latin-7
iso8859-14: ISO8859-14, Latin-8
iso8859-15: ISO8859-15, Latin-9
iso8859-16: ISO8859-16, Latin-10
cp437: IBM CodePage 437
cp850: IBM CodePage 850
cp852: IBM CodePage 852
cp855: IBM CodePage 855
cp858: IBM CodePage 858
cp860: IBM CodePage 860
cp862: IBM CodePage 862
cp863: IBM CodePage 863
cp865: IBM CodePage 865
cp866: IBM CodePage 866
ebcdic-037: IBM CodePage 037
ebcdic-1040: IBM CodePage 1140
ebcdic-1047: IBM CodePage 1047
koi8r: KOI8-R, Russian (Cyrillic)
koi8u: KOI8-U, Ukranian (Cyrillic)
macintosh: Macintosh encoding
macintosh-cyrillic: Macintosh Cyrillic encoding
windows1250: Windows1250, Central and Eastern European
windows1251: Windows1251, Russian, Serbian (Cyrillic)
windows1252: Windows1252, Legacy
windows1253: Windows1253, Modern Greek
windows1254: Windows1254, Turkish
windows1255: Windows1255, Hebrew
windows1256: Windows1256, Arabic
windows1257: Windows1257, Estonian, Latvian, Lithuanian
windows1258: Windows1258, Vietnamese
windows874: Windows874, ISO/IEC 8859-11, Latin/Thai
utf-16-bom: UTF-16 with required BOM
utf-16be-bom: big endian UTF-16 with required BOM
utf-16le-bom: little endian UTF-16 with required BOM

The plain encoding is special, because it does not validate or transform any input.

`exclude_lines`

If multiline settings are also specified, each multiline message is combined into a single line before the lines are filtered by exclude_lines.

The following example configures Filebeat to drop any lines that start with DBG.

filebeat.inputs:
- type: log
  ...
  exclude_lines: ['^DBG']

See [regexp-support] for a list of supported regexp patterns.

`include_lines`

If multiline settings also specified, each multiline message is combined into a single line before the lines are filtered by include_lines.

The following example configures Filebeat to export any lines that start with ERR or WARN:

filebeat.inputs:
- type: log
  ...
  include_lines: ['^ERR', '^WARN']

Note

The following example exports all log lines that contain sometext, except for lines that begin with DBG (debug messages):

filebeat.inputs:
- type: log
  ...
  include_lines: ['sometext']
  exclude_lines: ['^DBG']

See [regexp-support] for a list of supported regexp patterns.

`harvester_buffer_size`

The size in bytes of the buffer that each harvester uses when fetching a file. The default is 16384.

`max_bytes`

`json`

These options make it possible for Filebeat to decode logs structured as JSON messages. Filebeat processes the logs line by line, so the JSON decoding only works if there is one JSON object per line.

Example configuration:

json.keys_under_root: true
json.add_error_key: true
json.message_key: log

You must specify at least one of the following settings to enable JSON parsing mode:

keys_under_root: By default, the decoded JSON is placed under a "json" key in the output document. If you enable this setting, the keys are copied top level in the output document. The default is false.
overwrite_keys: If keys_under_root and this setting are enabled, then the values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts.
expand_keys: If this setting is enabled, Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. For example, {"a.b.c": 123} would be expanded into {"a":{"b":{"c":123}}}. This setting should be enabled when the input is produced by an ECS logger.
add_error_key: If this setting is enabled, Filebeat adds a "error.message" and "error.type: json" key in case of JSON unmarshalling errors or when a message_key is defined in the configuration but cannot be used.
message_key: An optional configuration setting that specifies a JSON key on which to apply the line filtering and multiline settings. If specified the key must be at the top level in the JSON object and the value associated with the key must be a string, otherwise no filtering or multiline aggregation will occur.
document_id: Option configuration setting that specifies the JSON key to set the document id. If configured, the field will be removed from the original json document and stored in @metadata._id
ignore_decoding_error: An optional configuration setting that specifies if JSON decoding errors should be logged or not. If set to true, errors will not be logged. The default is false.

`multiline`

Options that control how Filebeat deals with log messages that span multiple lines. See Manage multiline messages for more information about configuring multiline options.

`exclude_files`

A list of regular expressions to match the files that you want Filebeat to ignore. By default no files are excluded.

The following example configures Filebeat to ignore all the files that have a gz extension:

filebeat.inputs:
- type: log
  ...
  exclude_files: ['\.gz$']

See [regexp-support] for a list of supported regexp patterns.

`ignore_older`

You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 0, which disables the setting. Commenting out the config has the same effect as setting it to 0.

Important

You must set ignore_older to be greater than close_inactive.

The files affected by this setting fall into two categories:

Files that were never harvested
Files that were harvested but weren’t updated for longer than ignore_older

To remove the state of previously harvested files from the registry file, use the clean_inactive configuration option.

`close_*`

`close_inactive`

Setting close_inactive to a lower value means that file handles are closed sooner. However this has the side effect that new log lines are not sent in near real time if the harvester is closed.

You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 5m.

`close_renamed`

Warning

Only use this option if you understand that data loss is a potential side effect.

Do not use this option when path based file_identity is configured. It does not make sense to enable the option, as Filebeat cannot detect renames using path names as unique identifiers.

WINDOWS: If your Windows log rotation system shows errors because it can’t rotate the files, you should enable this option.

`close_removed`

This option is enabled by default. If you disable this option, you must also disable clean_removed.

WINDOWS: If your Windows log rotation system shows errors because it can’t rotate files, make sure this option is enabled.

`close_eof`

Warning

Only use this option if you understand that data loss is a potential side effect.

`close_timeout`

Warning

Only use this option if you understand that data loss is a potential side effect. Another side effect is that multiline events might not be completely sent before the timeout expires.

This option is set to 0 by default which means it is disabled.

`clean_*`

The clean_* options are used to clean up the state entries in the registry file. These settings help to reduce the size of the registry file and can prevent a potential inode reuse issue.

`clean_inactive`

Warning

Only use this option if you understand that data loss is a potential side effect.

The clean_inactive configuration option is useful to reduce the size of the registry file, especially if a large amount of new files are generated every day.

This config option is also useful to prevent Filebeat problems resulting from inode reuse on Linux. For more information, see Inode reuse causes Filebeat to skip lines.

Note	Every time a file is renamed, the file state is updated and the counter for `clean_inactive` starts at 0 again.

Tip

`clean_removed`

You must disable this option if you also disable close_removed.

`scan_frequency`

If you require log lines to be sent in near real time do not use a very low scan_frequency but adjust close_inactive so the file handler stays open and constantly polls your files.

The default setting is 10s.

`scan.sort`

experimental[]

If you specify a value for this setting, you can use scan.order to configure whether files are scanned in ascending or descending order.

The default setting is disabled.

`scan.order`

experimental[]

Specifies whether to use ascending or descending order when scan.sort is set to a value other than none. Possible values are asc or desc.

The default setting is asc.

`tail_files`

Note	You can use this setting to avoid indexing old log lines when you run Filebeat on a set of log files for the first time. After the first run, we recommend disabling this option, or you risk losing lines during file rotation.

`symlinks`

Because this option may lead to data loss, it is disabled by default.

`backoff`

The backoff options specify how aggressively Filebeat crawls open files for updates. You can use the default values in most cases.

`max_backoff`

`backoff_factor`

`harvester_limit`

This configuration option applies per input. You can use this option to indirectly set higher priorities on certain inputs by assigning a higher limit of harvesters.

`file_identity`

Different file_identity methods can be configured to suit the environment where you are collecting log messages.

native: The default behaviour of Filebeat is to differentiate between files using their inodes and device ids.

file_identity.native: ~

path: To identify files based on their paths use this strategy.

Warning

Only use this strategy if your log files are rotated to a folder outside of the scope of your input or not at all. Otherwise you end up with duplicated events.

Warning

This strategy does not support renaming files. If an input file is renamed, Filebeat will read it again if the new path matches the settings of the input.

file_identity.path: ~

inode_marker: If the device id changes from time to time, you must use this method to distinguish files. This option is not supported on Windows.

Set the location of the marker file the following way:

file_identity.inode_marker.path: /logs/.filebeat-marker

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

Example:

filebeat.inputs:
- type: log
  . . .
  tags: ["json"]

`fields`

filebeat.inputs:
- type: log
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

MQTT input

MQTT

Use the MQTT input to read data transmitted using lightweight messaging protocol for small and mobile devices, optimized for high-latency or unreliable networks.

This input connects to the MQTT broker, subscribes to selected topics and parses data into common message lines. Everything happens before line filtering, multiline, and JSON decoding, so this input can be used in combination with those settings.

Example configuration:

filebeat.inputs:
- type: mqtt
  hosts: <1>
    - tcp://broker:1883
    - ssl://secure_broker:8883
  topics: <2>
    - sample_topic

hosts are required.
topics are required.

All other settings are optional.

Configuration options

The mqtt input supports the following configuration options plus the Common options described later.

`hosts`

A list of MQTT brokers to connect to.

`topics`

A list of topics to subscribe to and read from.

`qos`

An agreement level between the sender of a message and the receiver of a message that defines the guarantee of delivery.

There are 3 QoS levels in MQTT. Defaults to 0:

At most once (0),
At least once (1),
Exactly once (2).

`client_id`

A unique identifier of each MQTT client connecting to a MQTT broker.

`username`

A client username used for authentication provided on the application level by the MQTT protocol.

`password`

A client password used for authentication provided on the application level by the MQTT protocol.

`clean_session`

The clean_session flag indicates whether the client wants to establish a persistent session with the broker. The default is true.

When clean_session is set to false, the session is considered to be persistent. The broker stores all subscriptions for the client and all missed messages for the client that subscribed with a Quality of Service (QoS) level 1 or 2.

In contrast, when clean_session is set to true, the broker doesn’t retain any information for the client and discards any previous state from any persistent session.

`ssl`

Configuration options for SSL parameters like the certificate, key and the certificate authorities to use.

See [configuration-ssl] for more information.

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

Example:

filebeat.inputs:
- type: mqtt
  . . .
  tags: ["json"]

`fields`

filebeat.inputs:
- type: mqtt
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-netflow.asciidoc[]

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-o365audit.asciidoc[]

Redis input

Redis

experimental[]

Use the redis input to read entries from Redis slowlogs.

Example configuration:

filebeat.inputs:
- type: redis
  hosts: ["localhost:6379"]
  password: "${redis_pwd}"

Configuration options

The redis input supports the following configuration options plus the Common options described later.

`hosts`

The list of Redis hosts to connect to.

`password`

The password to use when connecting to Redis.

`scan_frequency`

How often Filebeat reads entries from Redis slowlogs. Specify 1s to scan Redis as frequently as possible without causing Filebeat to scan too frequently. Do not set this value to less than 1s.

The default is 10s.

Important

Redis slowlogs are not permanent. To ensure that all slowlog entries are collected, set scan_frequency to a value that allows Filebeat sufficient time to connect to Redis, query the logs, and buffer them to the output within the specified interval.

`timeout`

How long to wait for a response from Redis before the input returns an error. The default is 1s.

`network`

The network type to use for the Redis connection. Valid settings include: tcp, tcp4, tcp6, and unix. The default is tcp.

`maxconn`

The maximum number of concurrent connections. The default is 10.

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

Example:

filebeat.inputs:
- type: redis
  . . .
  tags: ["json"]

`fields`

filebeat.inputs:
- type: redis
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

Stdin input

Stdin

Use the stdin input to read events from standard in.

Note: This input cannot be run at the same time with other input types.

Example configuration:

filebeat.inputs:
- type: stdin

Configuration options

The stdin input supports the following configuration options plus the Common options described later.

`encoding`

The file encoding to use for reading data that contains international characters. See the encoding names recommended by the W3C for use in HTML5.

Valid encodings:

plain: plain ASCII encoding
utf-8 or utf8: UTF-8 encoding
gbk: simplified Chinese charaters
iso8859-6e: ISO8859-6E, Latin/Arabic
iso8859-6i: ISO8859-6I, Latin/Arabic
iso8859-8e: ISO8859-8E, Latin/Hebrew
iso8859-8i: ISO8859-8I, Latin/Hebrew
iso8859-1: ISO8859-1, Latin-1
iso8859-2: ISO8859-2, Latin-2
iso8859-3: ISO8859-3, Latin-3
iso8859-4: ISO8859-4, Latin-4
iso8859-5: ISO8859-5, Latin/Cyrillic
iso8859-6: ISO8859-6, Latin/Arabic
iso8859-7: ISO8859-7, Latin/Greek
iso8859-8: ISO8859-8, Latin/Hebrew
iso8859-9: ISO8859-9, Latin-5
iso8859-10: ISO8859-10, Latin-6
iso8859-13: ISO8859-13, Latin-7
iso8859-14: ISO8859-14, Latin-8
iso8859-15: ISO8859-15, Latin-9
iso8859-16: ISO8859-16, Latin-10
cp437: IBM CodePage 437
cp850: IBM CodePage 850
cp852: IBM CodePage 852
cp855: IBM CodePage 855
cp858: IBM CodePage 858
cp860: IBM CodePage 860
cp862: IBM CodePage 862
cp863: IBM CodePage 863
cp865: IBM CodePage 865
cp866: IBM CodePage 866
ebcdic-037: IBM CodePage 037
ebcdic-1040: IBM CodePage 1140
ebcdic-1047: IBM CodePage 1047
koi8r: KOI8-R, Russian (Cyrillic)
koi8u: KOI8-U, Ukranian (Cyrillic)
macintosh: Macintosh encoding
macintosh-cyrillic: Macintosh Cyrillic encoding
windows1250: Windows1250, Central and Eastern European
windows1251: Windows1251, Russian, Serbian (Cyrillic)
windows1252: Windows1252, Legacy
windows1253: Windows1253, Modern Greek
windows1254: Windows1254, Turkish
windows1255: Windows1255, Hebrew
windows1256: Windows1256, Arabic
windows1257: Windows1257, Estonian, Latvian, Lithuanian
windows1258: Windows1258, Vietnamese
windows874: Windows874, ISO/IEC 8859-11, Latin/Thai
utf-16-bom: UTF-16 with required BOM
utf-16be-bom: big endian UTF-16 with required BOM
utf-16le-bom: little endian UTF-16 with required BOM

The plain encoding is special, because it does not validate or transform any input.

`exclude_lines`

If multiline settings are also specified, each multiline message is combined into a single line before the lines are filtered by exclude_lines.

The following example configures Filebeat to drop any lines that start with DBG.

filebeat.inputs:
- type: stdin
  ...
  exclude_lines: ['^DBG']

See [regexp-support] for a list of supported regexp patterns.

`include_lines`

If multiline settings also specified, each multiline message is combined into a single line before the lines are filtered by include_lines.

The following example configures Filebeat to export any lines that start with ERR or WARN:

filebeat.inputs:
- type: stdin
  ...
  include_lines: ['^ERR', '^WARN']

Note

The following example exports all log lines that contain sometext, except for lines that begin with DBG (debug messages):

filebeat.inputs:
- type: stdin
  ...
  include_lines: ['sometext']
  exclude_lines: ['^DBG']

See [regexp-support] for a list of supported regexp patterns.

`harvester_buffer_size`

The size in bytes of the buffer that each harvester uses when fetching a file. The default is 16384.

`max_bytes`

`json`

These options make it possible for Filebeat to decode logs structured as JSON messages. Filebeat processes the logs line by line, so the JSON decoding only works if there is one JSON object per line.

Example configuration:

json.keys_under_root: true
json.add_error_key: true
json.message_key: log

You must specify at least one of the following settings to enable JSON parsing mode:

keys_under_root: By default, the decoded JSON is placed under a "json" key in the output document. If you enable this setting, the keys are copied top level in the output document. The default is false.
overwrite_keys: If keys_under_root and this setting are enabled, then the values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts.
expand_keys: If this setting is enabled, Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. For example, {"a.b.c": 123} would be expanded into {"a":{"b":{"c":123}}}. This setting should be enabled when the input is produced by an ECS logger.
add_error_key: If this setting is enabled, Filebeat adds a "error.message" and "error.type: json" key in case of JSON unmarshalling errors or when a message_key is defined in the configuration but cannot be used.
message_key: An optional configuration setting that specifies a JSON key on which to apply the line filtering and multiline settings. If specified the key must be at the top level in the JSON object and the value associated with the key must be a string, otherwise no filtering or multiline aggregation will occur.
document_id: Option configuration setting that specifies the JSON key to set the document id. If configured, the field will be removed from the original json document and stored in @metadata._id
ignore_decoding_error: An optional configuration setting that specifies if JSON decoding errors should be logged or not. If set to true, errors will not be logged. The default is false.

`multiline`

Options that control how Filebeat deals with log messages that span multiple lines. See Manage multiline messages for more information about configuring multiline options.

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

Example:

filebeat.inputs:
- type: stdin
  . . .
  tags: ["json"]

`fields`

filebeat.inputs:
- type: stdin
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

Syslog input

Syslog

The syslog input reads Syslog events as specified by RFC 3164 and RFC 5424, over TCP, UDP, or a Unix stream socket.

Example configurations:

filebeat.inputs:
- type: syslog
  format: rfc3164
  protocol.udp:
    host: "localhost:9000"

filebeat.inputs:
- type: syslog
  format: rfc5424
  protocol.tcp:
    host: "localhost:9000"

filebeat.inputs:
- type: syslog
  format: auto
  protocol.unix:
    path: "/path/to/syslog.sock"

Configuration options

The syslog input configuration includes format, protocol specific options, and the Common options described later.

`format`

The syslog variant to use, rfc3164 or rfc5424. To automatically detect the format from the log entries, set this option to auto. The default is rfc3164.

`timezone`

IANA time zone name (e.g. America/New_York) or fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain a time zone. Local may be specified to use the machine’s local time zone. Defaults to Local.

Protocol `udp`:

`max_message_size`

The maximum size of the message received over UDP. The default is 10KiB.

`host`

The host and UDP port to listen on for event streams.

`read_buffer`

The size of the read buffer on the UDP socket. If not specified the default from the operating system will be used.

`timeout`

The read and write timeout for socket operations. The default is 5m.

Protocol `tcp`:

`max_message_size`

The maximum size of the message received over TCP. The default is 20MiB.

`host`

The host and TCP port to listen on for event streams.

`framing`

Specify the framing used to split incoming events. Can be one of delimiter or rfc6587. delimiter uses the characters specified in line_delimiter to split the incoming events. rfc6587 supports octet counting and non-transparent framing as described in RFC6587. line_delimiter is used to split the events in non-transparent framing. The default is delimiter.

`line_delimiter`

Specify the characters used to split the incoming events. The default is '\n'.

`max_connections`

The at most number of connections to accept at any given point in time.

`timeout`

The number of seconds of inactivity before a remote connection is closed. The default is 300s.

`ssl`

Configuration options for SSL parameters like the certificate, key and the certificate authorities to use.

See [configuration-ssl] for more information.

Protocol `unix`:

`max_message_size`

The maximum size of the message received over the socket. The default is 20MiB.

`path`

The path to the Unix socket that will receive events.

`socket_type`

The type to of the Unix socket that will receive events. Valid values are stream and datagram. The default is stream.

`group`

The group ownership of the Unix socket that will be created by Filebeat. The default is the primary group name for the user Filebeat is running as. This option is ignored on Windows.

`mode`

The file mode of the Unix socket that will be created by Filebeat. This is expected to be a file mode as an octal string. The default value is the system default (generally 0755).

`framing`

`line_delimiter`

Specify the characters used to split the incoming events. The default is '\n'.

`max_connections`

The at most number of connections to accept at any given point in time.

`timeout`

The number of seconds of inactivity before a connection is closed. The default is 300s.

See [configuration-ssl] for more information.

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

Example:

filebeat.inputs:
- type: syslog
  . . .
  tags: ["json"]

`fields`

filebeat.inputs:
- type: syslog
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

TCP input

TCP

Use the TCP input to read events over TCP.

Example configuration:

filebeat.inputs:
- type: tcp
  max_message_size: 10MiB
  host: "localhost:9000"

Configuration options

The tcp input supports the following configuration options plus the Common options described later.

`max_message_size`

The maximum size of the message received over TCP. The default is 20MiB.

`host`

The host and TCP port to listen on for event streams.

`framing`

`line_delimiter`

Specify the characters used to split the incoming events. The default is '\n'.

`max_connections`

The at most number of connections to accept at any given point in time.

`timeout`

The number of seconds of inactivity before a remote connection is closed. The default is 300s.

`ssl`

Configuration options for SSL parameters like the certificate, key and the certificate authorities to use.

See [configuration-ssl] for more information.

Metrics

This input exposes metrics under the HTTP monitoring endpoint. These metrics are exposed under the /inputs path. They can be used to observe the activity of the input.

Metric Description

device

Host/port of the TCP stream.

received_events_total

Total number of packets (events) that have been received.

received_bytes_total

Total number of bytes received.

receive_queue_length

Aggregated size of the system receive queues (IPv4 and IPv6) (linux only) (gauge).

arrival_period

Histogram of the time between successive packets in nanoseconds.

processing_time

Histogram of the time taken to process packets in nanoseconds.

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

Example:

filebeat.inputs:
- type: tcp
  . . .
  tags: ["json"]

`fields`

filebeat.inputs:
- type: tcp
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

UDP input

UDP

Use the udp input to read events over UDP.

Example configuration:

filebeat.inputs:
- type: udp
  max_message_size: 10KiB
  host: "localhost:8080"

Configuration options

The udp input supports the following configuration options plus the Common options described later.

`max_message_size`

The maximum size of the message received over UDP. The default is 10KiB.

`host`

The host and UDP port to listen on for event streams.

`read_buffer`

The size of the read buffer on the UDP socket. If not specified the default from the operating system will be used.

`timeout`

The read and write timeout for socket operations. The default is 5m.

Metrics

This input exposes metrics under the HTTP monitoring endpoint. These metrics are exposed under the /inputs path. They can be used to observe the activity of the input.

Metric Description

device

Host/port of the UDP stream.

udp_read_buffer_length_gauge

Size of the UDP socket buffer length in bytes (gauge).

received_events_total

Total number of packets (events) that have been received.

received_bytes_total

Total number of bytes received.

receive_queue_length

Aggregated size of the system receive queues (IPv4 and IPv6) (linux only) (gauge).

system_packet_drops

Aggregated number of system packet drops (IPv4 and IPv6) (linux only) (gauge).

arrival_period

Histogram of the time between successive packets in nanoseconds.

processing_time

Histogram of the time taken to process packets in nanoseconds.

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

Example:

filebeat.inputs:
- type: udp
  . . .
  tags: ["json"]

`fields`

filebeat.inputs:
- type: udp
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

Unix input

beta[]

Unix

Use the unix input to read events over a stream-oriented Unix domain socket.

Example configuration:

filebeat.inputs:
- type: unix
  max_message_size: 10MiB
  path: "/var/run/filebeat.sock"

Configuration options

The unix input supports the following configuration options plus the Common options described later.

`max_message_size`

The maximum size of the message received over the socket. The default is 20MiB.

`path`

The path to the Unix socket that will receive events.

`socket_type`

The type to of the Unix socket that will receive events. Valid values are stream and datagram. The default is stream.

`group`

The group ownership of the Unix socket that will be created by Filebeat. The default is the primary group name for the user Filebeat is running as. This option is ignored on Windows.

`mode`

The file mode of the Unix socket that will be created by Filebeat. This is expected to be a file mode as an octal string. The default value is the system default (generally 0755).

`framing`

`line_delimiter`

Specify the characters used to split the incoming events. The default is '\n'.

`max_connections`

The at most number of connections to accept at any given point in time.

`timeout`

The number of seconds of inactivity before a connection is closed. The default is 300s.

See [configuration-ssl] for more information.

Metrics

This input exposes metrics under the HTTP monitoring endpoint. These metrics are exposed under the /inputs path. They can be used to observe the activity of the input.

Metric Description

path

Path of the unix socket.

received_events_total

Total number of packets (events) that have been received.

received_bytes_total

Total number of bytes received.

arrival_period

Histogram of the time between successive packets in nanoseconds.

processing_time

Histogram of the time taken to process packets in nanoseconds.

Common options

The following configuration options are supported by all inputs.

`enabled`

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

`tags`

Example:

filebeat.inputs:
- type: unix
  . . .
  tags: ["json"]

`fields`

filebeat.inputs:
- type: unix
  . . .
  fields:
    app_id: query_engine_12

`fields_under_root`

`processors`

A list of processors to apply to the input data.

See Filter and enhance data with processors for information about specifying processors in your config.

`pipeline`

The ingest pipeline ID to set for the events generated by this input.

Note	The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.

`keep_null`

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

`index`

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

`publisher_pipeline.disable_host`

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

Unresolved directive in filebeat-options.asciidoc - include::../../x-pack/filebeat/docs/inputs/input-gcs.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../docs/filebeat-modules-options.asciidoc[]

Configure general settings

General settings

You can specify settings in the {beatname_lc}.yml config file to control the general behavior of Filebeat. This includes:

Global options that control things like publisher behavior and the location of some files.
General options that are supported by all Elastic Beats.

Global Filebeat configuration options

These options are in the filebeat namespace.

`registry.path`

The root path of the registry. If a relative path is used, it is considered relative to the data path. See the [directory-layout] section for details. The default is ${path.data}/registry.

filebeat.registry.path: registry

Note	The registry is only updated when new events are flushed and not on a predefined period. That means in case there are some states where the TTL expired, these are only removed when new events are processed.

`registry.file_permissions`

The permissions mask to apply on registry data file. The default value is 0600. The permissions option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with 0.

The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.

This option is not supported on Windows.

Examples:

0640: give read and write access to the file owner, and read access to members of the group associated with the file.
0600: give read and write access to the file owner, and no access to all others.

filebeat.registry.file_permissions: 0600

`registry.flush`

The timeout value that controls when registry entries are written to disk (flushed). When an unwritten update exceeds this value, it triggers a write to disk. When registry.flush is set to 0s, the registry is written to disk after each batch of events has been published successfully. The default value is 1s.

Note	The registry is always updated when Filebeat shuts down normally. After an abnormal shutdown, the registry will not be up-to-date if the `registry.flush` value is >0s. Filebeat will send published events again (depending on values in the last updated registry file).

Note	Filtering out a huge number of logs can cause many registry updates, slowing down processing. Setting `registry.flush` to a value >0s reduces write operations, helping Filebeat process more events.

`registry.migrate_file`

Prior to Filebeat 7.0 the registry is stored in a single file. When you upgrade to 7.0, Filebeat will automatically migrate the old Filebeat 6.x registry file to use the new directory format. Filebeat looks for the file in the location specified by filebeat.registry.path. If you changed the path while upgrading, set filebeat.registry.migrate_file to point to the old registry file.

filebeat.registry.path: ${path.data}/registry
filebeat.registry.migrate_file: /path/to/old/registry_file

The registry will be migrated to the new location only if a registry using the directory format does not already exist.

`config_dir`

deprecated:[6.0.0, Use Input config instead.]

The full path to the directory that contains additional input configuration files. Each configuration file must end with .yml. Each config file must also specify the full Filebeat config hierarchy even though only the inputs part of each file is processed. All global options, such as registry_file, are ignored.

The config_dir option MUST point to a directory other than the directory where the main Filebeat config file resides.

If the specified path is not absolute, it is considered relative to the configuration path. See the [directory-layout] section for details.

filebeat.config_dir: path/to/configs

`shutdown_timeout`

How long Filebeat waits on shutdown for the publisher to finish sending events before Filebeat shuts down.

By default, this option is disabled, and Filebeat does not wait for the publisher to finish sending events before shutting down. This means that any events sent to the output, but not acknowledged before Filebeat shuts down, are sent again when you restart Filebeat. For more details about how this works, see How does Filebeat ensure at-least-once delivery?.

You can configure the shutdown_timeout option to specify the maximum amount of time that Filebeat waits for the publisher to finish sending events before shutting down. If all events are acknowledged before shutdown_timeout is reached, Filebeat will shut down.

There is no recommended setting for this option because determining the correct value for shutdown_timeout depends heavily on the environment in which Filebeat is running and the current state of the output.

Example configuration:

filebeat.shutdown_timeout: 5s

Unresolved directive in filebeat-general-options.asciidoc - include::/github/workspace/../../libbeat/docs/generalconfig.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/shared-path-config.asciidoc[]

Load external configuration files

Config file loading

Filebeat can load external configuration files for inputs and modules, allowing you to separate your configuration into multiple smaller configuration files. See the Input config and the Module config sections for details.

Unresolved directive in reload-configuration.asciidoc - include::/github/workspace/../../libbeat/docs/shared-note-file-permissions.asciidoc[]

Input config

For input configurations, you specify the path option in the {beatname_lc}.config.inputs section of the {beatname_lc}.yml file. For example:

filebeat.config.inputs:
  enabled: true
  path: inputs.d/*.yml

Each file found by the path Glob must contain a list of one or more input definitions.

Tip

The first line of each external configuration file must be an input definition that starts with - type. Make sure you omit the line {beatname_lc}.config.inputs from this file. All input type configuration options must be specified within each external configuration file. Specifying these configuration options at the global filebeat.config.inputs level is not supported.

Example external configuration file:

- type: log
  paths:
    - /var/log/mysql.log
  scan_frequency: 10s

- type: log
  paths:
    - /var/log/apache.log
  scan_frequency: 5s

Warning

It is critical that two running inputs DO NOT have overlapping file paths defined. If more than one input harvests the same file at the same time, it can lead to unexpected behavior.

Module config

For module configurations, you specify the path option in the {beatname_lc}.config.modules section of the {beatname_lc}.yml file. By default, Filebeat loads the module configurations enabled in the modules.d directory. For example:

filebeat.config.modules:
  enabled: true
  path: ${path.config}/modules.d/*.yml

The path setting must point to the modules.d directory if you want to use the modules command to enable and disable module configurations.

Each file found by the Glob must contain a list of one or more module definitions.

Tip	The first line of each external configuration file must be a module definition that starts with `- module`. Make sure you omit the line {beatname_lc}.config.modules from this file.

For example:

- module: apache
  access:
    enabled: true
    var.paths: [/var/log/apache2/access.log*]
  error:
    enabled: true
    var.paths: [/var/log/apache2/error.log*]

Live reloading

You can configure Filebeat to dynamically reload external configuration files when there are changes. This feature is available for input and module configurations that are loaded as external configuration files. You cannot use this feature to reload the main {beatname_lc}.yml configuration file.

To configure this feature, you specify a path (Glob) to watch for configuration changes. When the files found by the Glob change, new inputs and/or modules are started and stopped according to changes in the configuration files.

This feature is especially useful in container environments where one container is used to tail logs for services running in other containers on the same host.

To enable dynamic config reloading, you specify the path and reload options under {beatname_lc}.config.inputs or {beatname_lc}.config.modules sections. For example:

filebeat.config.inputs:
  enabled: true
  path: configs/*.yml
  reload.enabled: true
  reload.period: 10s

path: A Glob that defines the files to check for changes.
reload.enabled: When set to true, enables dynamic config reload.
reload.period: Specifies how often the files are checked for changes. Do not set the period to less than 1s because the modification time of files is often stored in seconds. Setting the period to less than 1s will result in unnecessary overhead.

Unresolved directive in reload-configuration.asciidoc - include::/github/workspace/../../libbeat/docs/shared-note-file-permissions.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/outputconfig.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/shared-kerberos-config.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/shared-ssl-config.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::../../libbeat/docs/shared-ilm.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/setup-config.asciidoc[]

Filter and enhance data with processors

Processors

Your use case might require only a subset of the data exported by Filebeat, or you might need to enhance the exported data (for example, by adding metadata). Filebeat provides a couple of options for filtering and enhancing exported data.

You can configure each input to include or exclude specific lines or files. This allows you to specify different filtering criteria for each input. To do this, you use the include_lines, exclude_lines, and exclude_files options under the {beatname_lc}.inputs section of the config file (see Configure inputs). The disadvantage of this approach is that you need to implement a configuration option for each filtering criteria that you need.

Another approach (the one described here) is to define processors to configure global processing across all data exported by Filebeat.

Processors

Unresolved directive in filebeat-filtering.asciidoc - include::/github/workspace/../../libbeat/docs/processors.asciidoc[]

Drop event example

The following configuration drops all the DEBUG messages.

processors:
  - drop_event:
      when:
        regexp:
          message: "^DBG:"

To drop all the log messages coming from a certain log file:

processors:
  - drop_event:
      when:
        contains:
          source: "test"

Decode JSON example

In the following example, the fields exported by Filebeat include a field, inner, whose value is a JSON object encoded as a string:

{ "outer": "value", "inner": "{\"data\": \"value\"}" }

The following configuration decodes the inner JSON object:

filebeat.inputs:
- type: log
  paths:
    - input.json
  json.keys_under_root: true

processors:
  - decode_json_fields:
      fields: ["inner"]

output.console.pretty: true

The resulting output looks something like this:

{
  "@timestamp": "2016-12-06T17:38:11.541Z",
  "beat": {
    "hostname": "host.example.com",
    "name": "host.example.com",
    "version": "{version}"
  },
  "inner": {
    "data": "value"
  },
  "input": {
    "type": "log",
  },
  "offset": 55,
  "outer": "value",
  "source": "input.json",
  "type": "log"
}

Unresolved directive in filebeat-filtering.asciidoc - include::/github/workspace/../../libbeat/docs/processors-using.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/shared-autodiscover.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/queueconfig.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/loggingconfig.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/http-endpoint.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/regexp.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/shared-instrumentation.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/shared-feature-flags.asciidoc[]

Unresolved directive in configuring-howto.asciidoc - include::/github/workspace/../../libbeat/docs/reference-yml.asciidoc[]

How to guides

Override configuration settings at the command line

Override configuration settings

Note	If you’re running Filebeat as a service, you can’t specify command-line flags. To specify flags, start Filebeat in the foreground.

You can override any configuration setting from the command line by using flags:

-E, --E "SETTING_NAME=VALUE": Overrides a specific configuration setting.
-M, --M "VAR_NAME=VALUE": Overrides the default configuration for a module.

You can specify multiple overrides. Overrides are applied to the currently running Filebeat process. The Filebeat configuration file is not changed.

Example: override configuration file settings

The following configuration sends logging output to files:

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0640

To override the logging level and send logging output to standard error instead of a file, use the -E flag when you run Filebeat:

-E "logging.to_files=false" -E "logging.to_stderr=true" -E "logging.level=error"

Example: override module settings

The following configuration sets the path to Nginx access logs:

- module: nginx
  access:
    var.paths: ["/var/log/nginx/access.log*"] (1)

To override this setting from the command line, use the -M flag when you run Filebeat. The variable name must include the module and fileset name. For example:

-M "nginx.access.var.paths=[/path/to/log/nginx/access.log*]"

You can specify multiple overrides. Each override must start with -M.

For information about specific variables that you can set for each fileset, see the documentation under Modules.

Unresolved directive in howto/howto.asciidoc - include::/github/workspace/../../libbeat/docs/howto/load-index-templates.asciidoc[]

Unresolved directive in howto/howto.asciidoc - include::/github/workspace/../../libbeat/docs/howto/change-index-name.asciidoc[]

Unresolved directive in howto/howto.asciidoc - include::/github/workspace/../../libbeat/docs/howto/load-dashboards.asciidoc[]

Load ingest pipelines

The ingest pipelines used to parse log lines are set up automatically the first time you run Filebeat, assuming the {es} output is enabled. If you’re sending events to {ls} you need to load the ingest pipelines manually. To do this, run the setup command with the --pipelines option specified. You also need to enable the modules and filesets, this can be accomplished several ways.

First you can use the --modules option to enable the module, and the -M option to enable the fileset. For example, the following command loads the access pipeline from the nginx module.

deb and rpm:

filebeat setup --pipelines --modules nginx -M "nginx.access.enabled=true"

mac:

./filebeat setup --pipelines --modules nginx -M "nginx.access.enabled=true"

linux:

./filebeat setup --pipelines --modules nginx -M "nginx.access.enabled=true"

win:

PS > .\filebeat.exe setup --pipelines --modules nginx -M "nginx.access.enabled=true"

The second option is to use the --modules option to enable the module, and the --force-enable-module-filesets option to enable all the filesets in the module. For example, the following command loads the access pipeline from the nginx module.

deb and rpm:

filebeat setup --pipelines --modules nginx --force-enable-module-filesets

mac:

./filebeat setup --pipelines --modules nginx --force-enable-module-filesets

linux:

./filebeat setup --pipelines --modules nginx --force-enable-module-filesets

win:

PS > .\filebeat.exe setup --pipelines --modules nginx --force-enable-module-filesets

The third option is to use the --enable-all-filesets option to enable all the modules and all the filesets so all of the ingest pipelines are loaded. For example, the following command loads all the ingest pipelines.

deb and rpm:

filebeat setup --pipelines --enable-all-filesets

mac:

./filebeat setup --pipelines --enable-all-filesets

linux:

./filebeat setup --pipelines --enable-all-filesets

win:

PS > .\filebeat.exe setup --pipelines --enable-all-filesets

Tip	If you’re loading ingest pipelines manually because you want to send events to {ls}, also see {logstash-ref}/filebeat-modules.html[Working with Filebeat modules].

Unresolved directive in howto/howto.asciidoc - include::/github/workspace/../../libbeat/docs/shared-geoip.asciidoc[]

Unresolved directive in howto/howto.asciidoc - include::/github/workspace/../../libbeat/docs/shared-deduplication.asciidoc[]

Unresolved directive in howto/howto.asciidoc - include::/github/workspace/../../libbeat/docs/shared-config-ingest.asciidoc[]

Unresolved directive in howto/howto.asciidoc - include::/github/workspace/../../libbeat/docs/shared-env-vars.asciidoc[] :standalone!:

Unresolved directive in howto/howto.asciidoc - include::/github/workspace/../../libbeat/docs/yaml.asciidoc[] :standalone!:

Migrate `log` input configurations to `filestream`

The filestream input has been generally available since 7.14 and it is highly recommended you migrate your existing log input configurations. The filestream input comes with many improvements over the old log input, such as configurable order for parsers and more.

The log input is deprecated and will eventually be removed from Filebeat. We are not fixing new issues or adding any enhancements to the log input. Our focus is on filestream.

This manual migration is required only if you’ve defined log inputs manually in your stand-alone Filebeat configuration. All the integrations or modules that are still using log inputs under the hood will be eventually migrated automatically without any additional actions required from the user.

In this guide, you’ll learn how to migrate an existing log input configuration.

Important

You must replace log inputs with filestream inputs, make sure you have removed all the old log inputs from the configuration before starting Filebeat with the new filestream inputs. Running old log inputs and new filestream inputs pointed to the same files will lead to data duplication.

The following example shows three log inputs:

filebeat.inputs:
 - type: log
   enabled: true
   paths:
     - /var/log/java-exceptions*.log
   multiline:
    pattern: '^\['
    negate: true
    match: after
  close_removed: true
  close_renamed: true

- type: log
  enabled: true
  paths:
    - /var/log/my-application*.json
  scan_frequency: 1m
  json.keys_under_root: true

- type: log
  enabled: true
  paths:
    - /var/log/my-old-files*.log
  tail_files: true

For this example, let’s assume that the log input is used to collect logs from the following files. The progress of data collection is shown for each file.

/var/log/java-exceptions1.log (100%)
/var/log/java-exceptions2.log (100%)
/var/log/java-exceptions3.log (75%)
/var/log/java-exceptions4.log (0%)
/var/log/java-exceptions5.log (0%)
/var/log/my-application1.json (100%)
/var/log/my-application2.json (5%)
/var/log/my-application3.json (0%)
/var/log/my-old-files1.json (0%)

Step 1: Set an identifier for each `filestream` input

All filestream inputs require an ID. Ensure you set a unique identifier for every input.

Important

Never change the ID of an input, or you will end up with duplicate events.

filebeat.inputs:
- type: filestream
  enabled: true
  id: my-java-collector
  paths:
    - /var/log/java-exceptions*.log

- type: filestream
  enabled: true
  id: my-application-input
  paths:
    - /var/log/my-application*.json

- type: filestream
  enabled: true
  id: my-old-files
  paths:
    - /var/log/my-old-files*.log

Step 2: Enable the `take over` mode

Now, to indicate that the new filestream is supposed to take over the files from a previously defined log input, we need to add take_over: true to each new filestream. This will make sure that the new filestream inputs will continue ingesting files from the same offset where the log inputs stopped.

Note	It’s recommended to enable debug-level logs for Filebeat in order to follow the migration process. After the first run with `take_over: true` the setting can be removed.

Warning

The take over mode is in beta.

Important

If this parameter is not set, all the files will be re-ingested from the beginning and this will lead to data duplication. Please, double-check that this parameter is set.

logging:
  level: debug
filebeat.inputs:
- type: filestream
  enabled: true
  id: my-java-collector
  take_over: true
  paths:
    - /var/log/java-exceptions*.log

- type: filestream
  enabled: true
  id: my-application-input
  take_over: true
  paths:
    - /var/log/my-application*.json

- type: filestream
  enabled: true
  id: my-old-files
  take_over: true
  paths:
    - /var/log/my-old-files*.log

Step 3: Use new option names

Several options are renamed in filestream. You can find a table with all of the changed configuration names at the end of this guide.

The most significant change you have to know about is in parsers. The configuration of multiline, json, and other parsers has changed. Now the ordering is configurable, so filestream expects a list of parsers. Furthermore, the json parser was renamed to ndjson.

The example configuration shown earlier needs to be adjusted as well:

- type: filestream
  enabled: true
  id: my-java-collector
  take_over: true
  paths:
    - /var/log/java-exceptions*.log
  parsers:
    - multiline:
        pattern: '^\['
        negate: true
        match: after
  close.on_state_change.removed: true
  close.on_state_change.renamed: true

- type: filestream
  enabled: true
  id: my-application-input
  take_over: true
  paths:
    - /var/log/my-application*.json
  prospector.scanner.check_interval: 1m
  parsers:
    - ndjson:
        keys_under_root: true

- type: filestream
  enabled: true
  id: my-old-files
  take_over: true
  paths:
    - /var/log/my-old-files*.log
  ignore_inactive: since_last_start

Option name in log input

Option name in filestream input

recursive_glob.enabled

prospector.scanner.recursive_glob

harvester_buffer_size

buffer_size

max_bytes

message_max_bytes

json

parsers.n.ndjson

multiline

parsers.n.multiline

exclude_files

prospector.scanner.exclude_files

close_inactive

close.on_state_change.inactive

close_removed

close.on_state_change.removed

close_eof

close.reader.on_eof

close_timeout

close.reader.after_interval

close_inactive

close.on_state_change.inactive

scan_frequency

prospector.scanner.check_interval

tail_files

ignore_inactive.since_last_start

symlinks

prospector.scanner.symlinks

backoff

backoff.init

backoff_max

backoff.max

If something went wrong

If for whatever reason you’d like to revert the configuration after running the migrated configuration and return to old log inputs the files that were taken by filestream inputs, you need to do the following:

Stop Filebeat as soon as possible
Save its debug-level logs for further investigation
Find your registry.path/filebeat directory
Find the created backup files, they have the <timestamp>.bak suffix. If you have multiple backups for the same file, choose the one with the more recent timestamp.
Replace the files with their backups, e.g. log.json should be replaced by log.json-1674152412247684000.bak
Run Filebeat with the old configuration (no filestream inputs with take_over: true).

Note	Reverting to backups might cause some events to repeat, depends on the amount of time the new configuration was running.

Migrating from a Deprecated Filebeat Module

If a Filebeat module has been deprecated, there are a few options available for a path forward:

Migrate to an Elastic integration, if available. The deprecation notice will link to an appropriate integration, if one exists.
Migrate to Elastic Agent for ingesting logs. If a specific integration for the vendor/product does not exist, then one of the custom integrations can be used for ingesting events. A custom pipeline may also be attached to the integration for further processing.
- CEL Custom API - Collect events from an API using CEL (Common Expression Language)
- Custom API - Collect events from an API using the HTTPJSON input
- Custom Google Pub/Sub - Collect events from Google Pub/Sub topics
- Custom HTTP Endpoint - Collect events from a listening HTTP port
- Custom Journald - Collect events from journald
- Custom Kafka - Collect events from a Kafka topic
- Custom Logs - Collect events from files
- Custom TCP - Collect events from a listening TCP port
- Custom UDP - Collect events from a listening UDP port
- Custom Windows Event - Collect events from a Windows Event Log channel
Migrate to a different Filebeat module. In some cases, a Filebeat module may be superseded by a new module. The deprecation notice will link to an appropriate module, if one exists.
Use a custom Filebeat input, processors, and ingest pipeline (if necessary).

Modules

Modules overview

Filebeat modules simplify the collection, parsing, and visualization of common log formats.

A typical module (say, for the Nginx logs) is composed of one or more filesets (in the case of Nginx, access and error). A fileset contains the following:

Filebeat input configurations, which contain the default paths where to look for the log files. These default paths depend on the operating system. The Filebeat configuration is also responsible with stitching together multiline events when needed.
{es} {ref}/ingest.html[ingest pipeline] definition, which is used to parse the log lines.
Fields definitions, which are used to configure {es} with the correct types for each field. They also contain short descriptions for each of the fields.
Sample {kib} dashboards, when available, that can be used to visualize the log files.

Filebeat automatically adjusts these configurations based on your environment and loads them to the respective {stack} components.

If a module configuration is updated, the {es} ingest pipeline definition is not reloaded automatically. To reload the ingest pipeline, set filebeat.overwrite_pipelines: true and manually load the ingest pipelines.

Get started

To learn how to configure and run Filebeat modules:

Get started by reading Filebeat quick start: installation and configuration.
Dive into the documentation for each module.

ActiveMQ module

Unresolved directive in modules/activemq.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This module parses Apache ActiveMQ logs. It supports application and audit logs.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The module has been tested with ActiveMQ 5.13.0 and 5.15.9. Other versions are expected to work.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for ActiveMQ logs:

- module: activemq
  audit:
    enabled: true
    var.paths: ["/path/to/log/activemq/data/audit.log*"]
  log:
    enabled: true
    var.paths: ["/path/to/log/activemq/data/activemq.log*"]

To specify the same settings at the command line, you use:

-M "activemq.audit.var.paths=[/path/to/log/activemq/data/audit.log*]"
-M "activemq.log.var.paths=[/path/to/log/activemq/data/activemq.log*]"

`audit` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`log` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Time zone support

This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the event.timezone field.

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

If logs are originated from systems or applications with a different time zone to the local one, the event.timezone field can be overwritten with the original time zone using the add_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Dashboards

The ActiveMQ module comes with several predefined dashboards for application and audit logs. For example:

Fields

For a description of each field in the module, see the exported fields section.

Apache module

Unresolved directive in modules/apache.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module parses access and error logs created by the Apache HTTP server.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The {modulename} module was tested with logs from versions 2.2.22 and 2.4.23.

On Windows, the module was tested with Apache HTTP Server installed from the Chocolatey repository.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for Apache HTTP Server access and error logs:

- module: apache
  access:
    enabled: true
    var.paths: ["/path/to/log/apache/access.log*"]
  error:
    enabled: true
    var.paths: ["/path/to/log/apache/error.log*"]

To specify the same settings at the command line, you use:

-M "apache.access.var.paths=[/path/to/apache/access.log*]" -M "apache.error.var.paths=[/path/to/log/apache/error.log*]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`access` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`error` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Virtual Host

See customlog documentation https://httpd.apache.org/docs/2.4/en/mod/mod_log_config.html Add %v config in httpd.conf in log section

    # Replace
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    # By
    LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Example dashboard

This module comes with a sample dashboard. For example:

Fields

For a description of each field in the module, see the exported fields section.

Auditd module

Unresolved directive in modules/auditd.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module collects and parses logs from the audit daemon (auditd).

Note	Although Filebeat is able to parse logs by using the `auditd` module, {auditbeat-ref}/auditbeat-module-auditd.html[{auditbeat}] offers more advanced features for monitoring audit logs.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The {modulename} module was tested with logs from auditd on OSes like CentOS 6 and CentOS 7.

This module is not available for Windows.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for logs:

- module: auditd
  log:
    enabled: true
    var.paths: ["/path/to/log/audit/audit.log*"]

To specify the same settings at the command line, you use:

-M "auditd.log.var.paths=[/path/to/log/audit/audit.log*]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Example dashboard

This module comes with a sample dashboard showing an overview of the audit log data. You can build more specific dashboards that are tailored to the audit rules that you use on your systems.

Fields

For a description of each field in the module, see the exported fields section.

AWS module

Unresolved directive in modules/aws.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for aws logs. It uses filebeat s3 input to get log files from AWS S3 buckets with SQS notification or directly polling list of S3 objects in an S3 bucket. The use of SQS notification is preferred: polling list of S3 objects is expensive in terms of performance and costs, and cannot scale horizontally without ingestion duplication, and should be preferably used only when no SQS notification can be attached to the S3 buckets.

This module supports reading S3 server access logs with s3access fileset, ELB access logs with elb fileset, VPC flow logs with vpcflow fileset, and CloudTrail logs with cloudtrail fileset.

Access logs contain detailed information about the requests made to these services. VPC flow logs captures information about the IP traffic going to and from network interfaces in AWS VPC. ELB access logs captures detailed information about requests sent to the load balancer. CloudTrail logs contain events that represent actions taken by a user, role or AWS service.

The aws module requires AWS credentials configuration in order to make AWS API calls. Users can either use access_key_id, secret_access_key and/or session_token, or use role_arn AWS IAM role, or use shared AWS credentials file.

Users may use external_id to support assuming a role in another account, see the AWS documentation for use of external IDs.

Please see AWS credentials options for more details.

Tip	Read the quick start to learn how to configure and run modules.

Module configuration

Example config:

- module: aws
  cloudtrail:
    enabled: false
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    #var.bucket_arn: 'arn:aws:s3:::mybucket'
    #var.bucket_list_prefix: 'prefix'
    #var.bucket_list_interval: 300s
    #var.number_of_workers: 5
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    #var.credential_profile_name: fb-aws
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    #var.visibility_timeout: 300s
    #var.api_timeout: 120s
    #var.endpoint: amazonaws.com
    #var.default_region: us-east-1
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    #var.proxy_url: http://proxy:8080

  cloudwatch:
    enabled: false
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    #var.bucket_arn: 'arn:aws:s3:::mybucket'
    #var.bucket_list_prefix: 'prefix'
    #var.bucket_list_interval: 300s
    #var.number_of_workers: 5
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    #var.credential_profile_name: fb-aws
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    #var.visibility_timeout: 300s
    #var.api_timeout: 120s
    #var.endpoint: amazonaws.com
    #var.default_region: us-east-1
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    #var.proxy_url: http://proxy:8080

  ec2:
    enabled: false
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    #var.bucket_arn: 'arn:aws:s3:::mybucket'
    #var.bucket_list_prefix: 'prefix'
    #var.bucket_list_interval: 300s
    #var.number_of_workers: 5
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    #var.credential_profile_name: fb-aws
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    #var.visibility_timeout: 300s
    #var.api_timeout: 120s
    #var.endpoint: amazonaws.com
    #var.default_region: us-east-1
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    #var.proxy_url: http://proxy:8080

  elb:
    enabled: false
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    #var.bucket_arn: 'arn:aws:s3:::mybucket'
    #var.bucket_list_prefix: 'prefix'
    #var.bucket_list_interval: 300s
    #var.number_of_workers: 5
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    #var.credential_profile_name: fb-aws
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    #var.visibility_timeout: 300s
    #var.api_timeout: 120s
    #var.endpoint: amazonaws.com
    #var.default_region: us-east-1
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    #var.proxy_url: http://proxy:8080

  s3access:
    enabled: false
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    #var.bucket_arn: 'arn:aws:s3:::mybucket'
    #var.bucket_list_prefix: 'prefix'
    #var.bucket_list_interval: 300s
    #var.number_of_workers: 5
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    #var.credential_profile_name: fb-aws
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    #var.visibility_timeout: 300s
    #var.api_timeout: 120s
    #var.endpoint: amazonaws.com
    #var.default_region: us-east-1
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    #var.proxy_url: http://proxy:8080

  vpcflow:
    enabled: false
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    #var.bucket_arn: 'arn:aws:s3:::mybucket'
    #var.bucket_list_prefix: 'prefix'
    #var.bucket_list_interval: 300s
    #var.number_of_workers: 5
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    #var.credential_profile_name: fb-aws
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    #var.visibility_timeout: 300s
    #var.api_timeout: 120s
    #var.endpoint: amazonaws.com
    #var.default_region: us-east-1
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    #var.proxy_url: http://proxy:8080

var.queue_url: AWS SQS queue url (Required when var.bucket_arn is not set).
var.visibility_timeout: The duration that the received messages are hidden from ReceiveMessage request. Default to be 300 seconds.
var.api_timeout: The maximum duration of the AWS API call. If it exceeds the timeout, the AWS API call will be interrupted. The default AWS API timeout is 120s.

The API timeout must be longer than the sqs.wait_time value.

var.bucket_arn: AWS S3 bucket ARN (Required when var.queue_url is not set).
var.number_of_workers: Number of workers that will process the S3 objects listed (Required when var.bucket_arn is set). Use to vertically scale the input.
var.bucket_list_interval: Wait interval between completion of a list request to the S3 bucket and beginning of the next one. Default to be 120 seconds.
var.bucket_list_prefix: Prefix to apply for the list request to the S3 bucket. Default empty.
var.endpoint: Custom endpoint used to access AWS APIs.
var.default_region: Default region to query if no other region is set.
var.shared_credential_file: Filename of AWS credential file.
var.credential_profile_name: AWS credential profile name.
var.access_key_id: First part of access key.
var.secret_access_key: Second part of access key.
var.session_token: Required when using temporary security credentials.
var.role_arn: AWS IAM Role to assume.

config behaviour

Beware that in case both var.queue_url and var.bucket_arn are not set instead of failing to start Filebeat with a config validation error, only the specific fileset input will be stopped and a warning printed:

2021-08-26T14:33:03.661-0600 WARN [aws-s3] awss3/config.go:54 neither queue_url nor bucket_arn were provided, input aws-s3 will stop
2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:111 Input aws-s3 starting {"id": "29F3565F5B2A7070"}
2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:124 Input 'aws-s3' stopped {"id": "29F3565F5B2A7070"}

This behaviour is required in order to reduce destruction of existing Filebeat setup where not all AWS module’s filesets are defined and will change in next major release.

Setting enabled: false in the unused fileset will silence the warning and it is the suggested setup. For example (assuming cloudtrail as unused fileset):

- module: aws
  cloudtrail:
    enabled: false

cloudtrail fileset

CloudTrail monitors events for the account. If user creates a trail, it delivers those events as log files to a specific Amazon S3 bucket. The cloudtrail fileset does not read the CloudTrail Digest files that are delivered to the S3 bucket when Log File Integrity is turned on, it only reads the CloudTrail logs.

cloudwatch fileset

Users can use Amazon CloudWatch Logs to monitor, store, and access log files from different sources. Export logs from log groups to an Amazon S3 bucket which has SQS notification setup already. This fileset will parse these logs into timestamp and message field.

ec2 fileset

This fileset is specifically for EC2 logs stored in AWS CloudWatch. Export logs from log groups to Amazon S3 bucket which has SQS notification setup already. With this fileset, EC2 logs will be parsed into fields like ip and program_name. For logs from other services, please use cloudwatch fileset.

elb fileset

Elastic Load Balancing provides access logs that capture detailed information about requests sent to the load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. Users can use these access logs to analyze traffic patterns and to troubleshoot issues.

Please follow enable access logs for classic load balancer for sending Classic ELB access logs to S3 bucket. For application load balancer, please follow enable access log for application load balancer. For network load balancer, please follow enable access log for network load balancer.

This fileset comes with a predefined dashboard:

s3access fileset

Server access logging provides detailed records for the requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. It can also help you learn about customer base and understand Amazon S3 bill.

Please follow how to enable server access logging for sending server access logs to S3 bucket.

This fileset comes with a predefined dashboard:

vpcflow fileset

VPC Flow Logs is a feature in AWS that enables users to capture information about the IP traffic going to and from network interfaces in VPC. Flow log data needs to be published to Amazon S3 in order for vpcflow fileset to retrieve. Flow logs can help users to monitor traffic that is reaching each instance and determine the direction of the traffic to and from the network interfaces.

This fileset comes with a predefined dashboard:

Unresolved directive in modules/aws.asciidoc - include::../../../x-pack/libbeat/docs/aws-credentials-config.asciidoc[]

Fields

For a description of each field in the module, see the exported fields section.

AWS Fargate module

beta[]

This module can be used to collect container logs from Amazon ECS on Fargate. It uses filebeat awscloudwatch input to get log files from one or more log streams in AWS CloudWatch. Logs from all containers in Fargate launch type tasks can be sent to CloudWatch by adding the awslogs log driver under logConfiguration section in the task definition. For example, logConfiguration can be added into the task definition by adding this section into the containerDefinitions:

{
   "logDriver":"awslogs",
   "options":{
      "awslogs-group":"awslogs-wordpress",
      "awslogs-region":"us-west-2",
      "awslogs-stream-prefix":"awslogs-example"
   }
}

The awsfargate module requires AWS credentials configuration in order to make AWS API calls. Users can either use access_key_id, secret_access_key and/or session_token, or use role_arn AWS IAM role, or use shared AWS credentials file.

Please see AWS credentials options for more details.

Module configuration

Example config:

- module: awsfargate
  log:
    enabled: true
    var.credential_profile_name: test-filebeat
    var.log_group_arn: arn:aws:logs:us-east-1:1234567890:log-group:/ecs/test-log-group:*

var.log_group_arn

ARN of the log group to collect logs from.

var.log_group_name

Name of the log group to collect logs from. Note: region_name is required when log_group_name is given.

var.region_name

Region that the specified log group belongs to.

var.log_streams

A list of strings of log streams names that Filebeat collect log events from.

var.log_stream_prefix

A string to filter the results to include only log events from log streams that have names starting with this prefix.

var.start_position

start_position allows user to specify if this input should read log files from the beginning or from the end.

beginning: reads from the beginning of the log group (default).
end: read only new messages from current time minus scan_frequency going forward

var.scan_frequency

This config parameter sets how often Filebeat checks for new log events from the specified log group. Default scan_frequency is 1 minute, which means Filebeat will sleep for 1 minute before querying for new logs again.

var.api_timeout

The maximum duration of AWS API can take. If it exceeds the timeout, AWS API will be interrupted. The default AWS API timeout for a message is 120 seconds. The minimum is 0 seconds.

var.api_sleep

This is used to sleep between AWS FilterLogEvents API calls inside the same collection period. FilterLogEvents API has a quota of 5 transactions per second (TPS)/account/Region. By default, api_sleep is 200 ms. This value should only be adjusted when there are multiple Filebeats or multiple Filebeat inputs collecting logs from the same region and AWS account.

var.shared_credential_file

Filename of AWS credential file.

var.credential_profile_name

AWS credential profile name.

var.access_key_id

First part of access key.

var.secret_access_key

Second part of access key.

var.session_token

Required when using temporary security credentials.

var.role_arn

AWS IAM Role to assume.

var.endpoint

The custom endpoint used to access AWS APIs.

Unresolved directive in modules/awsfargate.asciidoc - include::../../../x-pack/libbeat/docs/aws-credentials-config.asciidoc[]

Fields

For a description of each field in the module, see the exported fields section.

Azure module

Unresolved directive in modules/azure.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The azure module retrieves different types of log data from Azure. There are several requirements before using the module since the logs will actually be read from azure event hubs.

the logs have to be exported first to the event hubs https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create-kafka-enabled
to export activity logs to event hubs users can follow the steps here https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-export
to export audit and sign-in logs to event hubs users can follow the steps here https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub

The module contains the following filesets:

activitylogs: Will retrieve azure activity logs. Control-plane events on Azure Resource Manager resources. Activity logs provide insight into the operations that were performed on resources in your subscription. To learn more, refer to the Azure Activity log documentation.
platformlogs: Will retrieve azure platform logs. Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. To learn more, refer to the Azure platform logs documentation.
signinlogs: Will retrieve azure Active Directory sign-in logs. The sign-ins report provides information about the usage of managed applications and user sign-in activities. To learn more, refer to the Azure sign-in logs documentation.
auditlogs: Will retrieve azure Active Directory audit logs. The audit logs provide traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies. To learn more, refer to the Azure audit logs documentation.

Module configuration

- module: azure
  activitylogs:
    enabled: true
    var:
      eventhub: "insights-operational-logs"
      consumer_group: "$Default"
      connection_string: ""
      storage_account: ""
      storage_account_key: ""
      resource_manager_endpoint: ""

  platformlogs:
    enabled: false
    var:
      eventhub: ""
      consumer_group: "$Default"
      connection_string: ""
      storage_account: ""
      storage_account_key: ""
      resource_manager_endpoint: ""

  auditlogs:
    enabled: false
    var:
      eventhub: "insights-logs-auditlogs"
      consumer_group: "$Default"
      connection_string: ""
      storage_account: ""
      storage_account_key: ""
      resource_manager_endpoint: ""

  signinlogs:
    enabled: false
    var:
      eventhub: "insights-logs-signinlogs"
      consumer_group: "$Default"
      connection_string: ""
      storage_account: ""
      storage_account_key: ""
      resource_manager_endpoint: ""

eventhub: string Is the fully managed, real-time data ingestion service. Default value of insights-operational-logs for activitylogs, insights-logs-auditlogs for auditlogs, and insights-logs-signinlogs for signinlogs. It is recommended to use a separate eventhub for each log type as the field mappings of each log type are different.
consumer_group: string The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. Default value: $Default
connection_string: string The connection string required to communicate with Event Hubs, steps here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string.

A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping the filebeat azure module it can start back up at the spot that it stopped processing messages.

storage_account: string The name of the storage account the state/offsets will be stored and updated.
storage_account_key: string The storage account key, this key will be used to authorize access to data in your storage account.
resource_manager_endpoint: string Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment. Ex: https://management.chinacloudapi.cn/ for azure ChinaCloud https://management.microsoftazure.de/ for azure GermanCloud https://management.azure.com/ for azure PublicCloud https://management.usgovcloudapi.net/ for azure USGovernmentCloud Users can also use this in case of a Hybrid Cloud model, where one may define their own endpoints.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Tip	Read the quick start to learn how to configure and run modules.

Dashboards

The azure module comes with several predefined dashboards for general cloud overview, user activity and alerts. For example:

Fields

For a description of each field in the module, see the exported fields section.

Barracuda module

deprecated::[8.12.0,"This module is deprecated. Use the Barracuda Web Application Firewall Elastic integration instead."]

experimental[]

Unresolved directive in modules/barracuda.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Barracuda Web Application Firewall logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`waf` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "barracudawaf" device revision 132.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9503

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

`spamfirewall` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "barracudasf" device revision 125.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9524

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Bluecoat module

deprecated::[8.12.0,"This module is deprecated. See Migrating from a Deprecated Filebeat Module for migration options."]

experimental[]

Unresolved directive in modules/bluecoat.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Blue Coat Director logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`director` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "bluecoatdirector" device revision 0.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9505

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

CEF module

Unresolved directive in modules/cef.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Common Event Format (CEF) data over Syslog. When messages are received over the syslog protocol the syslog input will parse the header and set the timestamp value. Then the decode_cef processor is applied to parse the CEF encoded data. The decoded data is written into a cef object field. Lastly any Elastic Common Schema (ECS) fields that can be populated with the CEF data are populated.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

var.syslog_host: The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The UDP port to listen for syslog traffic. Defaults to 9003

Note	Ports below 1024 require Filebeat to run as root.

var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [cef, forwarded].
var.timezone: IANA time zone name (e.g. America/New_York) or fixed time offset (e.g. +0200) to use when parsing times from the CEF message that do not contain a time zone. Local may be specified to use the machine’s local time zone. Defaults to UTC.

Forcepoint NGFW Security Management Center

This module will process CEF data from Forcepoint NGFW Security Management Center (SMC). In the SMC configure the logs to be forwarded to the address set in var.syslog_host in format CEF and service UDP on var.syslog_port. Instructions can be found in KB 15002 for configuring the SMC. Testing was done with CEF logs from SMC version 6.6.1 and custom string mappings were taken from 'CEF Connector Configuration Guide' dated December 5, 2011.

Check Point devices

This module will parse CEF data form Check Point devices as documented in Log Exporter CEF Field Mappings.

Check Point CEF extensions are mapped as follows:

CEF Extension

CEF Label value

ECS Fields

Non-ECS Field

cp_app_risk

event.risk_score

checkpoint.app_risk

cp_severity

event.severity

checkpoint.severity

baseEventCount

checkpoint.event_count

deviceExternalId

observer.type

deviceFacility

observer.type

deviceInboundInterface

observer.ingress.interface.name

deviceOutboundInterface

observer.egress.interface.name

externalId

checkpoint.uuid

fileHash

file.hash.{md5,sha1}

reason

checkpoint.termination_reason

requestCookies

checkpoint.cookie

sourceNtDomain

dns.question.name

Signature

vulnerability.id

Recipient

destination.user.email

Sender

source.user.email

deviceCustomFloatingPoint1

update version

observer.version

deviceCustomIPv6Address2

source ipv6 address

source.ip

deviceCustomIPv6Address3

destination ipv6 address

destination.ip

deviceCustomNumber1

elapsed time in seconds

event.duration

email recipients number

checkpoint.email_recipients_num

payload

network.bytes

deviceCustomNumber2

icmp type

checkpoint.icmp_type

duration in seconds

event.duration

deviceCustomNumber3

icmp code

checkpoint.icmp_code

deviceCustomString1

connectivity state

checkpoint.connectivity_state

application rule name

rule.name

threat prevention rule name

rule.name

voip log type

checkpoint.voip_log_type

dlp rule name

rule.name

email id

checkpoint.email_id

deviceCustomString2

Fields

For a description of each field in the module, see the exported fields section.

Check Point module

Unresolved directive in modules/checkpoint.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for Check Point firewall logs. It supports logs from the Log Exporter in the Syslog RFC 5424 format. If you need to ingest Check Point logs in CEF format then please use the CEF module (more fields are provided in the syslog output).

To configure a Log Exporter, please refer to the documentation by Check Point.

Example Log Exporter config:

cp_log_export add name testdestination target-server 192.168.1.1 target-port 9001 protocol udp format syslog

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This module has been tested against Check Point Log Exporter on R80.X but should also work with R77.30.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`firewall` fileset settings

Example config:

- module: checkpoint
  firewall:
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9001

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.syslog_host: The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The UDP port to listen for syslog traffic. Defaults to 9001.
var.timezone_offset: IANA time zone or time offset (e.g. +0200) to use when interpreting syslog timestamps without a time zone. Defaults to UTC.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [checkpoint-firewall, forwarded].
var.ssl: The SSL/TLS configuration for the filebeat instance. This can be used to enforce mutual TLS.

ssl:
  enabled: true
  certificate_authorities: ["my-ca.pem"]
  certificate: "filebeat-cert.pem"
  key: "filebeat-key.pem"
  client_authentication: "required"

Check Point devices

This module will parse Check Point Syslog data as documented in: Checkpoint Log Fields Description.

Check Point Syslog extensions are mapped as follows to ECS:

Check Point Fields

ECS Fields

action

event.action

appi_name

network.application

app_risk

event.risk_score

app_rule_id

rule.id

app_rule_name

rule.name

bytes

network.bytes

Fields

For a description of each field in the module, see the exported fields section.

Cisco module

Unresolved directive in modules/cisco.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for Cisco network device’s logs and Cisco Umbrella. It includes the following filesets for receiving logs over syslog or read from a file:

asa fileset: supports Cisco ASA firewall logs.
amp fileset: supports Cisco AMP API logs.
ftd fileset: supports Cisco Firepower Threat Defense logs.
ios fileset: supports Cisco IOS router and switch logs.
nexus fileset: supports Cisco Nexus switch logs.
meraki fileset: supports Cisco Meraki logs.
umbrella fileset: supports Cisco Umbrella logs.

Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in Filebeat.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The module is by default configured to run via syslog on port 9001 for ASA and port 9002 for IOS. However it can also be configured to read from a file path. See the following example.

Cisco Umbrella publishes its logs in a compressed CSV format to a S3 bucket.

- module: cisco
  asa:
    enabled: true
    var.paths: ["/var/log/cisco-asa.log"]
    var.input: "file"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`asa` fileset settings

Example config:

- module: cisco
  asa:
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9001
    var.log_level: 5

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.log_level: An integer between 1 and 7 that allows filtering messages based on the severity level. The different severity levels supported by the Cisco ASA are:

log_level	severity
1	Alert
2	Critical
3	Error
4	Warning
5	Notification
6	Informational
7	Debugging

A value of 7 (default) will not filter any messages. A lower value will drop any messages with a severity level higher than the specified value. For example, var.log_level: 3 will allow messages of level 1 (Alert), 2 (Critical) and 3 (Error). All other messages will be dropped.

Note	The filtering is done in the ingest pipeline, if this setting is changed, the ingest pipeline need to be reloaded manually. To reload the ingest pipeline, set `filebeat.overwrite_pipelines: true` and manually Load ingest pipelines.

var.syslog_host: The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The UDP port to listen for syslog traffic. Defaults to 9001.
var.timezone_offset: IANA time zone or time offset (e.g. +0200) to use when interpreting syslog timestamps without a time zone. Defaults to UTC.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [cisco-asa, forwarded].

`ftd` fileset settings

The Cisco FTD fileset primarily supports parsing IPv4 and IPv6 access list log messages similar to that of ASA devices as well as Security Event Syslog Messages for Intrusion, Connection, File and Malware events.

Field mappings

The ftd fileset maps Security Event Syslog Messages to the Elastic Common Schema (ECS) format. The following table illustrates the mapping from Security Event fields to ECS. The cisco.ftd prefix is used when there is no corresponding ECS field available.

Mappings for Intrusion events fields:

FTD Field

Mapped fields

ApplicationProtocol

network.protocol

DstIP

destination.address

DstPort

destination.port

EgressInterface

cisco.ftd.destination_interface

GID

service.id

HTTPResponse

http.response.status_code

IngressInterface

cisco.ftd.source_interface

InlineResult

event.outcome

IntrusionPolicy

cisco.ftd.rule_name

Message

message

Protocol

network.transport

SrcIP

source.address

SrcPort

source.port

User

user.id, user.name

WebApplication

network.application

Mappings for Connection and Security Intelligence events fields:

FTD Field

Mapped fields

ACPolicy

cisco.ftd.rule_name

AccessControlRuleAction

event.outcome

AccessControlRuleName

cisco.ftd.rule_name

ApplicationProtocol

network.protocol

ConnectionDuration

event.duration

DNSQuery

dns.question.name

DNSRecordType

dns.question.type

DNSResponseType

dns.response_code

DstIP

destination.address

DstPort

destination.port

EgressInterface

cisco.ftd.destination_interface

HTTPReferer

http.request.referrer

HTTPResponse

http.response.status_code

IngressInterface

cisco.ftd.source_interface

InitiatorBytes

source.bytes

InitiatorPackets

source.packets

NetBIOSDomain

host.hostname

Protocol

network.transport

ReferencedHost

url.domain

ResponderBytes

destination.bytes

ResponderPackets

destination.packets

SSLActualAction

event.outcome

SSLServerName

server.domain

SrcIP

source.address

SrcPort

source.port

URL

url.original

User

user.name

UserAgent

user_agent.original

WebApplication

network.application

originalClientSrcIP

client.address

Mappings for File and Malware events fields:

FTD Field

Mapped fields

ApplicationProtocol

network.protocol

ArchiveFileName

file.name

ArchiveSHA256

file.hash.sha256

Client

network.application

DstIP

destination.address

DstPort

destination.port

FileName

file.name

FilePolicy

cisco.ftd.rule_name

FileSHA256

file.hash.sha256

FileSize

file.size

FirstPacketSecond

event.start

Protocol

network.transport

SrcIP

source.address

SrcPort

source.port

URI

url.original

User

user.name

WebApplication

network.application

Example configuration:

- module: cisco
  ftd:
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9003
    var.log_level: 5

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.log_level: An integer between 1 and 7 that allows filtering messages based on the severity level. The different severity levels supported by the Cisco ASA are:

log_level	severity
1	Alert
2	Critical
3	Error
4	Warning
5	Notification
6	Informational
7	Debugging

Note	The filtering is done in the ingest pipeline, if this setting is changed, the ingest pipeline need to be reloaded manually. To reload the ingest pipeline, set `filebeat.overwrite_pipelines: true` and manually Load ingest pipelines.

var.syslog_host: The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The UDP port to listen for syslog traffic. Defaults to 9003.
var.timezone_offset: IANA time zone or time offset (e.g. +0200) to use when interpreting syslog timestamps without a time zone. Defaults to UTC.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [cisco-ftd, forwarded].

`ios` fileset settings

The Cisco IOS fileset primarily supports parsing IPv4 and IPv6 access list log messages.

Example config:

- module: cisco
  ios:
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9002

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.syslog_host: The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The UDP port to listen for syslog traffic. Defaults to 9002.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [cisco-ios, forwarded].

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

`nexus` fileset settings

deprecated::[8.12.0,"This fileset is deprecated. Use the Cisco Nexus Elastic integration instead."]

experimental[]

Note	This was converted from RSA NetWitness log parser XML "cisconxos" device revision 134.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9506

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

`meraki` fileset settings

deprecated::[8.12.0,"This fileset is deprecated. Use the Cisco Meraki Elastic integration instead."]

experimental[]

Note	This was converted from RSA NetWitness log parser XML "ciscomeraki" device revision 118.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9525

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

`umbrella` fileset settings

The Cisco Umbrella fileset primarily focuses on reading CSV files from an S3 bucket using the filebeat S3 input.

To configure Cisco Umbrella to log to a self-managed S3 bucket please follow the Cisco Umbrella User Guide, and the AWS S3 input documentation to setup the necessary Amazon SQS queue. Retrieving logs from a Cisco-managed S3 bucket is not currently supported.

This fileset supports all 4 log types: - Proxy - Cloud Firewall - IP Logs - DNS logs

The Cisco Umbrella fileset depends on the original file path structure being followed. This structure is documented Umbrella Log Formats and Versioning:

<subfolder>/<YYYY>-<MM>-<DD>/<YYYY>-<MM>-<DD>-<hh>-<mm>-<xxxx>.csv.gz dnslogs/<year>-<month>-<day>/<year>-<month>-<day>-<hour>-<minute>.csv.gz

Example config:

- module: cisco
  umbrella:
    enabled: true
    var.input: aws-s3
    var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue
    var.access_key_id: 123456
    var.secret_access_key: PASSWORD

var.input: The input from which messages are read. Can be S3 or file.
var.queue_url: The URL to the SQS queue if the input type is S3.
var.access_key_id: The ID for the access key used to read from the SQS queue.
var.secret_access_key: The secret token used for authenticating to the SQS queue.
var.visibility_timeout: The duration that the received messages are hidden from ReceiveMessage request. Default to be 300 seconds.
var.api_timeout: Maximum duration before AWS API request will be interrupted. Default to be 120 seconds.

`amp` fileset settings

The Cisco AMP fileset focuses on collecting events from your Cisco AMP/Cisco Secure Endpoint API.

To configure the Cisco AMP fileset you will need to retrieve your client_id and api_key from the AMP dashboard. For more information on how to retrieve these credentials, please reference the Cisco AMP API documentation.

The URL configured for the API depends on which region your AMP is located, currently there are three choices: - api.amp.cisco.com - api.apjc.amp.cisco.com - api.eu.amp.cisco.com

If new endpoints are added by Cisco in the future, please reference the API URL list located at the Cisco AMP API Docs.

Example config:

- module: cisco
  amp:
    enabled: true
    var.input: httpjson
    var.url: https://api.amp.cisco.com/v1/events
    var.client_id: 123456
    var.api_key: sfda987gdf90s0df0

When starting up the Filebeat module for the first time, you are able to configure how far back you want Filebeat to collect existing events from. It is also possible to select how often Filebeat will check the Cisco AMP API. Another example below which looks back 200 hours and have a custom timeout:

- module: cisco
  amp:
    enabled: true
    var.input: httpjson
    var.url: https://api.amp.cisco.com/v1/events
    var.client_id: 123456
    var.api_key: sfda987gdf90s0df0
    var.first_interval: 200h
    var.interval: 60m
    var.request_timeout: 120s
    var.limit: 100

var.input: The input from which messages are read. Supports httpjson.
var.url: The URL to the Cisco AMP API endpoint, this url value depends on your region. It will be the same region as your Cisco AMP Dashboard URL.
var.client_id: The ID for the user account used to access the API.
var.api_key: The API secret used together with the related client_id.
var.request_timeout: When handling large influxes of events, especially for large enterprises, the API might take longer to respond. This value is to set a custom timeout value for each request sent by Filebeat.
var.first_interval: How far back you would want to collect events the first time the Filebeat module starts up. Supports amount in hours(example: 24h), minutes(example: 10m) and seconds(example: 50s).
var.limit: This value controls how many events are returned by the Cisco AMP API per page.

Example dashboard

This module comes with a sample dashboard for ASA:

Fields

For a description of each field in the module, see the exported fields section.

CoreDNS module

This is a filebeat module for CoreDNS. It supports both standalone CoreDNS deployment and CoreDNS deployment in Kubernetes.

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

Although this module has been developed against Kubernetes v1.13.x, it is expected to work with other versions of Kubernetes.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

Example config:

- module: coredns
  log:
    enabled: true
    var.paths: ["/var/log/coredns.log"]
    var.tags: ["coredns", "staging"]

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: An array of tags describing the monitored CoreDNS setup.

Example dashboard

This module comes with a sample dashboard.

Fields

For a description of each field in the module, see the exported fields section.

CrowdStrike module

Unresolved directive in modules/crowdstrike.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is the Filebeat module for CrowdStrike Falcon using the Falcon SIEM Connector. This module collects this data, converts it to ECS, and ingests it to view in the SIEM. By default, the Falcon SIEM connector outputs JSON formatted Falcon Streaming API event data.

This module segments events forwarded by the Falcon SIEM connector into two datasets for endpoint data and Falcon platform audit data.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This input supports CrowdStrike Falcon SIEM-Connector-v2.0.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`falcon` fileset settings

The fileset is by default configured to collect JSON formated event data from /var/log/crowdstrike/falconhoseclient/output. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.

var:
  - name: paths
    default:
      - /var/log/crowdstrike/falconhoseclient/output

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Dashboards

The best way to view CrowdStrike events and alert data is in the SIEM.

For alerts, go to Detections → External alerts.

And for all over event CrowdStrike Falcon event types, go to Host → Events.

Fields

For a description of each field in the module, see the exported fields section.

Cyberark PAS module

beta[]

Unresolved directive in modules/cyberarkpas.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving CyberArk Privileged Account Security (PAS) logs over Syslog or a file.

The {plugins}/ingest-geoip.html[ingest-geoip] Elasticsearch plugin is required to run this module.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

`audit` fileset settings

The audit fileset receives Vault Audit logs for User and Safe activities over the syslog protocol.

Vault configuration

Follow the steps under Security Information and Event Management (SIEM) Applications documentation to setup the integration:

Copy the elastic-json-v1.0.xsl XSL Translator file to the Server\Syslog folder.
Sample syslog configuration for DBPARM.ini:

[SYSLOG]
UseLegacySyslogFormat=No
SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl
SyslogServerIP=<INSERT FILEBEAT IP HERE>
SyslogServerPort=<INSERT FILEBEAT PORT HERE>
SyslogServerProtocol=TCP

For proper timestamping of events, it’s recommended to use the newer RFC5424 Syslog format (UseLegacySyslogFormat=No). To avoid event loss, use TCP or TLS protocols instead of UDP.

Filebeat configuration

Edit the cyberarkpas.yml configuration. The following sample configuration will accept TCP protocol connections from all interfaces:

- module: cyberarkpas
  audit:
    enabled: true

    # Set which input to use between tcp (default), udp, or file.
    #
    var.input: tcp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9301

    # With tcp input, set the optional tls configuration:
    #var.ssl:
    #  enabled: true
    #  certificate: /path/to/cert.pem
    #  key: /path/to/privatekey.pem
    #  key_passphrase: 'password for my key'

    # Uncoment to keep the original syslog event under event.original.
    # var.preserve_original_event: true

    # Set paths for the log files when file input is used.
    # var.paths:

For encrypted communications, follow the CyberArk documentation to configure encrypted protocol in the Vault server and use tcp input with var.ssl settings in Filebeat:

- module: cyberarkpas
  audit:
    enabled: true

    # Set which input to use between tcp (default), udp, or file.
    #
    var.input: tcp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9301

    # With tcp input, set the optional tls configuration:
    var.ssl:
      enabled: true
      certificate: /path/to/cert.pem
      key: /path/to/privatekey.pem
      key_passphrase: 'password for my key'

    # Uncoment to keep the original syslog event under event.original.
    # var.preserve_original_event: true

    # Set paths for the log files when file input is used.
    # var.paths:

Configuration options

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

var.input: The input to use. One of tcp (default), udp or file.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9301.

Note	Ports below 1024 require Filebeat to run as root.

var.ssl: Configuration options for SSL parameters to use when acting as a server for TLS protocol. See SSL server configuration options. for a description of the available sub-options.
var.preserve_original_event: Set to true to store the original syslog message under the event.original field. Defaults to false.
var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself.

This setting is only applicable when file input is configured.

Example dashboard

This module comes with a sample dashboard:

Fields

For a description of each field in the module, see the exported fields section.

Cylance module

deprecated::[8.12.0,"This module is deprecated. See Migrating from a Deprecated Filebeat Module for migration options."]

experimental[]

Unresolved directive in modules/cylance.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving CylanceProtect logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`protect` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "cylance" device revision 127.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9508

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Elasticsearch module

Unresolved directive in modules/elasticsearch.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is the elasticsearch module.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The Elasticsearch module is compatible with Elasticsearch 6.2 and newer.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`server` log fileset settings

var.paths

An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Example config:

  server:
    enabled: true
    var.paths:
      - /var/log/elasticsearch/*.log          # Plain text logs
      - /var/log/elasticsearch/*_server.json  # JSON logs

Note	If you’re running against Elasticsearch >= 7.0.0, configure the `var.paths` setting to point to JSON logs. Otherwise, configure it to point to plain text logs.

`gc` log fileset settings

var.paths

Example config:

  gc:
    var.paths:
      - /var/log/elasticsearch/gc.log.[0-9]*
      - /var/log/elasticsearch/gc.log

`audit` log fileset settings

var.paths

Example config:

  audit:
    var.paths:
      - /var/log/elasticsearch/*_access.log  # Plain text logs
      - /var/log/elasticsearch/*_audit.json  # JSON logs

Note	If you’re running against Elasticsearch >= 7.0.0, configure the `var.paths` setting to point to JSON logs. Otherwise, configure it to point to plain text logs.

`slowlog` log fileset settings

var.paths

Example config:

  slowlog:
    var.paths:
      - /var/log/elasticsearch/*_index_search_slowlog.log     # Plain text logs
      - /var/log/elasticsearch/*_index_indexing_slowlog.log   # Plain text logs
      - /var/log/elasticsearch/*_index_search_slowlog.json    # JSON logs
      - /var/log/elasticsearch/*_index_indexing_slowlog.json  # JSON logs

Note	If you’re running against Elasticsearch >= 7.0.0, configure the `var.paths` setting to point to JSON logs. Otherwise, configure it to point to plain text logs.

`deprecation` log fileset settings

var.paths

Example config:

  deprecation:
    var.paths:
      - /var/log/elasticsearch/*_deprecation.log   # Plain text logs
      - /var/log/elasticsearch/*_deprecation.json  # JSON logs

Note	If you’re running against Elasticsearch >= 7.0.0, configure the `var.paths` setting to point to JSON logs. Otherwise, configure it to point to plain text logs.

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Fields

For a description of each field in the module, see the exported fields section.

Envoyproxy Module

This is a Filebeat module for Envoy proxy access log (https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/access_log). It supports both standalone deployment and Envoy proxy deployment in Kubernetes.

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

Although this module has been developed against Envoy proxy 1.10.0 and Kubernetes v1.13.x, it is expected to work with other versions of Envoy proxy and Kubernetes.

Example dashboard

This module comes with a sample dashboard.

Fields

For a description of each field in the module, see the exported fields section.

F5 module

deprecated::[8.12.0,"This module is deprecated. Use the F5 BIG-IP Elastic integration instead."]

experimental[]

Unresolved directive in modules/f5.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for F5 network device’s logs. It includes the following filesets for receiving logs over syslog or read from a file:

bigipapm fileset: supports F5 Big-IP Access Policy Manager.
bigipafm fileset: supports F5 Big-IP Advanced Firewall Manager.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`bigipapm` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "bigipapm" device revision 113.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9504

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

`bigipafm` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "bigipafm" device revision 121.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9528

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Fortinet module

Unresolved directive in modules/fortinet.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for Fortinet logs sent in the syslog format. It supports the following devices:

firewall fileset: Supports FortiOS Firewall logs.
clientendpoint fileset: Supports FortiClient Endpoint Protection logs.
fortimail fileset: Supports FortiMail logs.
fortimanager fileset: Supports FortiManager logs.

To configure a remote syslog destination, please reference the Fortigate/FortiOS Documentation.

The syslog format choosen should be Default.

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This module has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`firewall` fileset settings

- module: fortinet
  firewall:
    enabled: true
    var.input: udp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9004

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

var.input: The input to use, can be either the value tcp, udp or file.
var.syslog_host: The interface to listen to all syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9004.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [fortinet-firewall, forwarded].

`clientendpoint` fileset settings

deprecated::[8.12.0,"This fileset is deprecated. Use the Fortinet FortiClient Logs Elastic integration instead."]

experimental[]

Note	This was converted from RSA NetWitness log parser XML "forticlientendpoint" device revision 0.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9510

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

`fortimail` fileset settings

deprecated::[8.12.0,"This fileset is deprecated. Use the Fortinet FortiMail Elastic integration instead."]

experimental[]

Note	This was converted from RSA NetWitness log parser XML "fortinetfortimail" device revision 131.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9529

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

`fortimanager` fileset settings

deprecated::[8.12.0,"This fileset is deprecated. Use the Fortinet FortiManager Logs Elastic integration instead."]

experimental[]

Note	This was converted from RSA NetWitness log parser XML "fortinetmgr" device revision 134.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9530

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fortinet ECS fields

This is a list of FortiOS fields that are mapped to ECS.

Fortinet Fields

ECS Fields

action

event.action

agent

user_agent.original

app

network.application

appcat

rule.category

applist

rule.ruleset

catdesc

rule.category

ccertissuer

tls.client_issuer

collectedemail

source.user.email

comment

rule.description

daddr

destination.address

devid

observer.serial_number

dir

network.direction

direction

network.direction

dst_host

destination.address

dstcollectedemail

destination.user.email

dst_int

observer.egress.interface.name

dstintf

observer.egress.interface.name

dstip

destination.ip

dstmac

destination.mac

dstname

destination.address

dst_port

destination.port

dstport

destination.port

dstunauthuser

destination.user.name

dtype

vulnerability.category

duration

event.duration

errorcode

error.code

event_id

event.id

eventid

event.id

eventtime

event.start

eventtype

event.action

file

file.name

filename

file.name

filesize

file.size

filetype

file.extension

filehash

file.hash.crc32

from

source.user.email

group

source.user.group

hostname

url.domain

infectedfilename

file.name

infectedfilesize

file.size

infectedfiletype

file.extension

ipaddr

dns.resolved_ip

level

log.level

locip

source.ip

locport

source.port

logdesc

rule.description

logid

event.code

matchfilename

file.name

matchfiletype

file.extension

msg

message

error_num

error.code

policyid

rule.id

policy_id

rule.id

policyname

rule.name

policytype

rule.ruleset

poluuid

rule.uuid

profile

rule.ruleset

proto

network.iana_number

qclass

dns.question.class

qname

dns.question.name

qtype

dns.question.type

rcvdbyte

source.bytes

rcvdpkt

source.packets

recipient

destination.user.email

ref

event.reference

remip

destination.ip

remport

destination.port

saddr

source.address

scertcname

tls.client.server_name

scertissuer

tls.server.issuer

sender

source.user.email

sentbyte

source.bytes

sentpkt

source.packets

service

network.protocol

sess_duration

event.duration

srcdomain

source.domain

srcintf

observer.ingress.interface.name

srcip

source.ip

source_mac

source.mac

srcmac

source.mac

srcport

source.port

tranip

destination.nat.ip

tranport

destination.nat.port

transip

source.nat.ip

transport

source.nat.port

event.timezone

unauthuser

source.user.name

url

url.path

user

source.user.name

xid

dns.id

Fields

For a description of each field in the module, see the exported fields section.

Google Cloud module

Unresolved directive in modules/gcp.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for Google Cloud logs. It supports reading audit, VPC flow, and firewall logs that have been exported from Stackdriver to a Google Pub/Sub topic sink.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`audit` fileset settings

Example config:

- module: gcp
  audit:
    enabled: true
    var.project_id: my-gcp-project-id
    var.topic: gcp-vpc-audit
    var.subscription_name: filebeat-gcp-audit-sub
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
    var.keep_original_message: false

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.project_id: Google Cloud project ID.
var.topic: Google Cloud Pub/Sub topic name.
var.subscription_name: Google Cloud Pub/Sub topic subscription name. If the subscription does not exist it will be created.
var.credentials_file: Path to a JSON file containing the credentials and key used to subscribe.
var.keep_original_message: Flag to control whether the original message is stored in the log.original field. Defaults to false, meaning the original message is not saved.

`vpcflow` fileset settings

Example config:

- module: gcp
  vpcflow:
    enabled: true
    var.project_id: my-gcp-project-id
    var.topic: gcp-vpc-flowlogs
    var.subscription_name: filebeat-gcp-vpc-flowlogs-sub
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
    var.keep_original_message: false

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.project_id: Google Cloud project ID.
var.topic: Google Cloud Pub/Sub topic name.
var.subscription_name: Google Cloud Pub/Sub topic subscription name. If the subscription does not exist it will be created.
var.credentials_file: Path to a JSON file containing the credentials and key used to subscribe.
var.keep_original_message: Flag to control whether the original message is stored in the log.original field. Defaults to false, meaning the original message is not saved.

`firewall` fileset settings

Example config:

- module: gcp
  firewall:
    enabled: true
    var.project_id: my-gcp-project-id
    var.topic: gcp-vpc-firewall
    var.subscription_name: filebeat-gcp-vpc-firewall-sub
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
    var.keep_original_message: false

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.project_id: Google Cloud project ID.
var.topic: Google Cloud Pub/Sub topic name.
var.subscription_name: Google Cloud Pub/Sub topic subscription name. If the subscription does not exist it will be created.
var.credentials_file: Path to a JSON file containing the credentials and key used to subscribe.
var.keep_original_message: Flag to control whether the original message is stored in the log.original field. Defaults to false, meaning the original message is not saved.

Fields

For a description of each field in the module, see the exported fields section.

Google Workspace module

Unresolved directive in modules/google_workspace.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for ingesting data from the different Google Workspace audit reports APIs.

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

It is compatible with a subset of applications under the Google Reports API v1. As of today it supports:

Google Workspace Service

Description

SAML api docs help

View users’ successful and failed sign-ins to SAML applications.

User Accounts api docs help

Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment.

Track user sign-in activity to your domain.

Admin api docs help

View administrator activity performed within the Google Admin console.

Drive api docs help

Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files.

Groups api docs help

Track changes to groups, group memberships and group messages.

Configure the module

In order for Filebeat to ingest data from the Google Reports API you must:

Have an administrator account, as described here.
Set up a ServiceAccount using the administrator account.
Set up access to the Admin SDK API for the ServiceAccount.
Enable Domain-Wide Delegation for your ServiceAccount.

This module will make use of the following oauth2 scope:

https://www.googleapis.com/auth/admin.reports.audit.readonly

Once you have downloaded your service account credentials as a JSON file, you can set up your module:

Configuration options

- module: google_workspace
  saml:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "user@example.com"
  user_accounts:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "user@example.com"
  login:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "user@example.com"
  admin:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "user@example.com"
  drive:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "user@example.com"
  groups:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "user@example.com"

Every fileset has the following configuration options:

var.jwt_file: Specifies the path to the JWT credentials file.
var.delegated_account: Email of the admin user used to access the API.
var.http_client_timeout: Duration of the time limit on HTTP requests made by the module. Defaults to 60s.
var.interval: Duration between requests to the API. Defaults to 2h.

Note	Google Workspace defaults to a 2 hour polling interval because Google reports can go from some minutes up to 3 days of delay. For more details on this, you can read more here.

var.user_key: Specifies the user key to fetch reports from. Defaults to all.
var.initial_interval: It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to 24h.

Google Workspace Reports ECS fields

This is a list of Google Workspace Reports fields that are mapped to ECS.

Google Workspace Reports ECS Fields

items[].id.time

@timestamp

items[].id.uniqueQualifier

event.id

items[].id.applicationName

event.provider

items[].events[].name

event.action

items[].customerId

organization.id

items[].ipAddress

source.ip, related.ip`, source.as., source.geo.

items[].actor.email

source.user.email, source.user.name, source.user.domain

items[].actor.profileId

source.user.id

These are the common ones to all filesets.

Fields

For a description of each field in the module, see the exported fields section.

HAproxy module

Unresolved directive in modules/haproxy.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module collects and parses logs from a (haproxy) process.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The {modulename} module was tested with logs from haproxy running on AWS Linux as a gateway to a cluster of microservices.

The module was also tested with HAProxy 1.8, 1.9 and 2.0 running on a Debian.

This module is not available for Windows.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The module is by default configured to run via syslog on port 9001. However it can also be configured to read from a file path. See the following example.

- module: haproxy
  log:
    enabled: true
    var.paths: ["/var/log/haproxy.log"]
    var.input: "file"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Example dashboard

This module comes with a sample dashboard showing geolocation, distribution of requests between backends and frontends, and status codes over time. For example:

Fields

For a description of each field in the module, see the exported fields section.

IBM MQ module

The ibmmq module collects and parses the queue manager error logs from IBM MQ in the standard format.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This module has been tested with IBM MQ v9.1.0.0, but it should be compatible with older versions.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for IBM MQ errorlog:

- module: ibmmq
  errorlog:
    enabled: true
    var.paths: ["C:/ibmmq/logs/*.log"]

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`errorlog` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Example dashboard

This module comes with a sample dashboard. For example:

Fields

For a description of each field in the module, see the exported fields section.

Icinga module

The {modulename} module parses the main, debug, and startup logs of Icinga.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The {modulename} module was tested with Icinga >= 2.x on various Linux and Windows systems.

This module is not available for macOS.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for logs:

- module: icinga
  main:
    enabled: true
    var.paths: ["/path/to/log/icinga2/icinga2.log*"]
  debug:
    enabled: true
    var.paths: ["/path/to/log/icinga2/debug.log*"]
  startup:
    enabled: true
    var.paths: ["/path/to/log/icinga2/startup.log"]

To specify the same settings at the command line, you use:

-M "icinga.main.var.paths=[/path/to/log/icinga2/icinga2.log*]" -M "icinga.debug.var.paths=[/path/to/log/icinga2/debug.log*]" -M "icinga.startup.var.paths=[/path/to/log/icinga2/startup.log]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`main` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`debug` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`startup` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Example dashboard

This module comes with sample dashboards. For example:

Fields

For a description of each field in the module, see the exported fields section.

IIS module

Unresolved directive in modules/iis.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module parses access and error logs created by the Internet Information Services (IIS) HTTP server.

Important

The {modulename} module currently supports only the default W3C log format.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The IIS module was tested with logs from version 7.5 and version 10.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for IIS access logs and error logs:

- module: iis
  access:
    enabled: true
    var.paths: ["C:/inetpub/logs/LogFiles/*/*.log"]
  error:
    enabled: true
    var.paths: ["C:/Windows/System32/LogFiles/HTTPERR/*.log"]

To specify the same settings at the command line, you use:

-M "iis.access.var.paths=[C:/inetpub/logs/LogFiles/*/*.log]" -M "iis.error.var.paths=[C:/Windows/System32/LogFiles/HTTPERR/*.log]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`access` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`error` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Example dashboard

This module comes with a sample dashboard. For example:

Fields

For a description of each field in the module, see the exported fields section.

Imperva module

deprecated::[8.12.0,"This module is deprecated. See Migrating from a Deprecated Filebeat Module for migration options."]

experimental[]

Unresolved directive in modules/imperva.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Imperva SecureSphere logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`securesphere` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "impervawaf" device revision 117.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9511

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Infoblox module

deprecated::[8.12.0,"This module is deprecated. Use the Infoblox NIOS Elastic integration instead."]

experimental[]

Unresolved directive in modules/infoblox.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Infoblox NIOS logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`nios` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "infobloxnios" device revision 134.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9512

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Iptables module

Unresolved directive in modules/iptables.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for iptables and ip6tables logs. It parses logs received over the network via syslog or from a file. Also, it understands the prefix added by some Ubiquiti firewalls, which includes the rule set name, rule number and the action performed on the traffic (allow/deny).

When you run the module, it performs a few tasks under the hood:

Sets the default input to syslog and binds to localhost port 9001 (but don’t worry, you can override the defaults).
Uses an ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana.
Deploys dashboards for visualizing the log data.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The module is by default configured to run via syslog on port 9001. However it can also be configured to read from a file path. See the following example.

- module: iptables
  log:
    enabled: true
    var.paths: ["/var/log/iptables.log"]
    var.input: "file"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.syslog_host: The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The UDP port to listen for syslog traffic. Defaults to 9001

Note	Ports below 1024 require Filebeat to run as root.

var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [iptables, forwarded].

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Example dashboard

This module comes with sample dashboards showing geolocation and network protocols used. One for all iptables logs:

and one specific for Ubiquiti Firewall logs:

Fields

For a description of each field in the module, see the exported fields section.

Juniper module

Unresolved directive in modules/juniper.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for ingesting data from the different Juniper Products. Currently supports these filesets:

srx fileset: Supports Juniper SRX logs
junos fileset: Supports Juniper JUNOS logs
netscreen fileset: Supports Juniper Netscreen logs

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

beta[]

`srx` fileset settings

The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" JunOS Documentation structured-data

To configure a remote syslog destination, please reference the SRX Getting Started - Configure System Logging.

The following processes and tags are supported:

JunOS processes

JunOS tags

RT_FLOW

RT_FLOW_SESSION_CREATE

RT_FLOW_SESSION_CLOSE

RT_FLOW_SESSION_DENY

APPTRACK_SESSION_CREATE

APPTRACK_SESSION_CLOSE

APPTRACK_SESSION_VOL_UPDATE

RT_IDS

RT_SCREEN_TCP

RT_SCREEN_UDP

RT_SCREEN_ICMP

RT_SCREEN_IP

RT_SCREEN_TCP_DST_IP

RT_SCREEN_TCP_SRC_IP

RT_UTM

WEBFILTER_URL_PERMITTED

WEBFILTER_URL_BLOCKED

AV_VIRUS_DETECTED_MT

CONTENT_FILTERING_BLOCKED_MT

ANTISPAM_SPAM_DETECTED_MT

RT_IDP

IDP_ATTACK_LOG_EVENT

IDP_APPDDOS_APP_STATE_EVENT

RT_AAMW

SRX_AAMW_ACTION_LOG

AAMW_MALWARE_EVENT_LOG

AAMW_HOST_INFECTED_EVENT_LOG

AAMW_ACTION_LOG

RT_SECINTEL

SECINTEL_ACTION_LOG

The syslog format choosen should be Default.

Compatibility

This module has been tested against JunOS version 19.x and 20.x. Versions above this are expected to work but have not been tested.

- module: juniper
  junos:
    enabled: true
    var.input: udp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9006

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.input: The input to use, can be either the value tcp, udp or file.
var.syslog_host: The interface to listen to all syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9006.

Juniper SRX ECS fields

This is a list of JunOS fields that are mapped to ECS.

Juniper SRX Fields

ECS Fields

application-risk

event.risk_score

bytes-from-client

source.bytes

bytes-from-server

destination.bytes

destination-interface-name

observer.egress.interface.name

destination-zone-name

observer.egress.zone

destination-address

destination.ip

destination-port

destination.port

dst_domainname

url.domain

elapsed-time

event.duration

filename

file.name

nat-destination-address

destination.nat.ip

nat-destination-port

destination.nat.port

nat-source-address

source.nat.ip

nat-source-port

source.nat.port

message

obj

url.path

packets-from-client

source.packets

packets-from-server

destination.packets

policy-name

rule.name

protocol

network.transport

source-address

source.ip

source-interface-name

observer.ingress.interface.name

source-port

source.port

source-zone-name

observer.ingress.zone

url

url.domain

`junos` fileset settings

deprecated::[8.12.0,"This fileset is deprecated. Use the Juniper SRX Elastic integration instead."]

experimental[]

Note	This was converted from RSA NetWitness log parser XML "junosrouter" device revision 134.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9513

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

`netscreen` fileset settings

deprecated::[8.12.0,"This fileset is deprecated. See Migrating from a Deprecated Filebeat Module for migration options."]

experimental[]

Note	This was converted from RSA NetWitness log parser XML "netscreen" device revision 134.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9523

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Kafka module

Unresolved directive in modules/kafka.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module collects and parses the logs created by Kafka.

The module has additional support for parsing thread ID from logs.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The {modulename} module was tested with logs from versions 0.9, 1.1.0 and 2.0.0.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for logs:

- module: kafka
  log:
    enabled: true
    var.paths:
      - "/path/to/logs/controller.log*"
      - "/path/to/logs/server.log*"
      - "/path/to/logs/state-change.log*"
      - "/path/to/logs/kafka-*.log*"

To specify the same settings at the command line, you use:

-M "kafka.log.var.paths=[/path/to/logs/controller.log*, /path/to/logs/server.log*, /path/to/logs/state-change.log*, /path/to/logs/kafka-*.log*]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

var.kafka_home

The path to your Kafka installation. The default is /opt. For example:

- module: kafka
  log:
    enabled: true
    var.kafka_home: /usr/share/kafka_2.12-2.4.0
    ...

var.paths

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Example dashboard

This module comes with a sample dashboard to see Kafka logs and stack traces.

Fields

For a description of each field in the module, see the exported fields section.

Kibana module

Unresolved directive in modules/kibana.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is the Kibana module.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The Kibana modules is compatible with Kibana 6.3 and newer.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`audit` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Fields

For a description of each field in the module, see the exported fields section.

Logstash module

Unresolved directive in modules/logstash.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} modules parse logstash regular logs and the slow log, it will support the plain text format and the JSON format.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

The {modulename} module has two filesets:

The log fileset collects and parses the logs that Logstash writes to disk.
The slowlog fileset parses the logstash slowlog.

For the slowlog fileset, make sure to configure the {logstash-ref}/logging.html#_slowlog[Logstash slowlog option].

Compatibility

The Logstash log fileset was tested with logs from Logstash 5.6 and 6.0.

The Logstash slowlog fileset was tested with logs from Logstash 5.6 and 6.0

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for Logstash logs.

- module: logstash
  log:
    enabled: true
    var.paths: ["/path/to/log/logstash.log*"]
  slowlog:
    enabled: true
    var.paths: ["/path/to/log/logstash-slowlog.log*"]

To specify the same settings at the command line, you use:

-M "logstash.log.var.paths=[/path/to/log/logstash/logstash-server.log*]" -M "logstash.slowlog.var.paths=[/path/to/log/logstash/logstash-slowlog.log*]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`slowlog` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Example dashboards

This module comes with two sample dashboards.

Known issues

When using the log fileset to parse plaintext logs, if a multiline plaintext log contains an embedded JSON object such that the JSON object starts on a new line, the fileset may not parse the multiline plaintext log event correctly.

Fields

For a description of each field in the module, see the exported fields section.

Microsoft module

Unresolved directive in modules/microsoft.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets:

defender_atp fileset: Supports Microsoft Defender for Endpoint (Microsoft Defender ATP)
m365_defender fileset: Supports Microsoft 365 Defender (Microsoft Threat Protection)
dhcp fileset: Supports Microsoft DHCP logs

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`m365_defender` fileset settings

To configure access for Filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return Oauth tokens with access to the Microsoft 365 Defender API

The procedure to create an application is found on the below link:

Create a new Azure Application

When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain.

After the application has been created, it should contain 3 values that you need to apply to the module configuration.

These values are:

Client ID
Client Secret
Tenant ID

Example config:

- module: microsoft
  m365_defender:
    enabled: true
    var.oauth2.client.id: "123abc-879546asd-349587-ad64508"
    var.oauth2.client.secret: "980453~-Sg99gedf"
    var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/v2.0/token"
    var.oauth2.scopes:
      - "https://api.security.microsoft.com/.default"

var.oauth2.client.id: This is the client ID related to creating a new application on Azure.
var.oauth2.client.secret: The secret related to the client ID.
var.oauth2.token_url: A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL.
var.oauth2.scopes: A list of included scopes, should use .default unless different is specified.

365 Defender ECS fields

This is a list of 365 Defender fields that are mapped to ECS.

365 Defender Fields

ECS Fields

lastUpdateTime

@timestamp

severity

event.severity

createdTime

event.created

alerts.category

threat.technique.name

alerts.description

rule.description

alerts.serviceSource

event.provider

alerts.alertId

event.id

alerts.firstActivity

event.start

alerts.lastActivity

event.end

alerts.title

message

entities.processId

process.pid

entities.processCommandLine

process.command_line

entities.processCreationTime

process.start

entities.parentProcessId

process.parent.pid

entities.parentProcessCreationTime

process.parent.start

entities.sha1

file.hash.sha1

entities.sha256

file.hash.sha256

entities.url

url.full

entities.filePath

file.path

entities.fileName

file.name

entities.userPrincipalName

host.user.name

entities.domainName

host.user.domain

entities.aadUserId

host.user.id

`defender_atp` fileset settings

To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain.

The procedure to create an application is found on the below link:

Create a new Azure Application

When giving the application the API permissions described in the documentation (Windows Defender ATP Alert.Read.All) it will only grant access to read alerts from ATP and nothing else in the Azure Domain.

After the application has been created, it should contain 3 values that you need to apply to the module configuration.

These values are:

Client ID
Client Secret
Tenant ID

Example config:

- module: microsoft
  defender_atp:
    enabled: true
    var.oauth2.client.id: "123abc-879546asd-349587-ad64508"
    var.oauth2.client.secret: "980453~-Sg99gedf"
    var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"

var.oauth2.client.id: This is the client ID related to creating a new application on Azure.
var.oauth2.client.secret: The secret related to the client ID.
var.oauth2.token_url: A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL.

Defender ATP ECS fields

This is a list of Defender ATP fields that are mapped to ECS.

Defender ATP Fields

ECS Fields

alertCreationTime

@timestamp

aadTenantId

cloud.account.id

Dashboards

This module comes with a sample dashboard for Defender ATP.

The best way to view Defender ATP events and alert data is in the SIEM.

For alerts, go to Detections → External alerts.

And for all other Defender ATP event types, go to Host → Events.

`dhcp` fileset settings

deprecated::[8.12.0,"This fileset is deprecated. Use the Microsoft DHCP Elastic integration instead."]

experimental[]

Note	This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99.

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9515

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

MISP module

deprecated::[7.14.0,"This module is deprecated. Use the Threat Intel module instead."]

beta[]

This is a filebeat module for reading threat intel information from the MISP platform (https://www.circl.lu/doc/misp/). It uses the httpjson input to access the MISP REST API interface.

The configuration in the config.yml file uses the following format:

var.api_key: specifies the API key to access MISP.
var.http_request_body: an object containing any parameter that needs to be sent to the search API. Default: limit: 1000
var.url: URL of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"

Tip	Read the quick start to learn how to configure and run modules.

Example dashboard

This module comes with a sample dashboard. For example:

Fields

For a description of each field in the module, see the exported fields section.

MongoDB module

Unresolved directive in modules/mongodb.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module collects and parses logs created by MongoDB.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The {modulename} module was tested with plaintext logs from version v3.2.11 on Debian and json logs from version v4.4.4 on Ubuntu.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for MongoDB logs:

- module: mongodb
  log:
    enabled: true
    var.paths: ["/path/to/log/mongodb/*.log*"]

To specify the same settings at the command line, you use:

-M "mongodb.log.var.paths=[/path/to/log/mongodb/*.log*]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Example dashboard

This module comes with one sample dashboard including error and regular logs.

Fields

For a description of each field in the module, see the exported fields section.

MSSQL module

The {modulename} module parses error logs created by MSSQL.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for MSSQL logs:

- module: mssql
  log:
    enabled: true
    var.paths: ['C:\Program Files\Microsoft SQL Server\MSSQL.150\MSSQL\LOG\ERRORLOG*']

To specify the same settings at the command line, you use:

-M "mssql.log.var.paths=['C:\Program Files\Microsoft SQL Server\MSSQL.150\MSSQL\LOG\ERRORLOG*']"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Fields

For a description of each field in the module, see the exported fields section.

MySQL module

Unresolved directive in modules/mysql.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module collects and parses the slow logs and error logs created by MySQL.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The {modulename} module was tested with logs from MySQL 5.5, 5.7 and 8.0, MariaDB 10.1, 10.2 and 10.3, and Percona 5.7 and 8.0.

On Windows, the module was tested with MySQL installed from the Chocolatey repository.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for slow logs and error logs:

- module: mysql
  error:
    enabled: true
    var.paths: ["/path/to/log/mysql/error.log*"]
  slowlog:
    enabled: true
    var.paths: ["/path/to/log/mysql/mysql-slow.log*"]

To specify the same settings at the command line, you use:

-M "mysql.error.var.paths=[/path/to/log/mysql/error.log*]" -M "mysql.slowlog.var.paths=[/path/to/log/mysql/mysql-slow.log*]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`error` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`slowlog` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Example dashboard

This module comes with a sample dashboard. For example:

Fields

For a description of each field in the module, see the exported fields section.

MySQL Enterprise module

beta[]

This is a module for different types of MySQL logs. Currently focusing on data from the MySQL Enterprise Audit Plugin in JSON format.

To configure the the Enterprise Audit Plugin to output in JSON format please follow the directions in the MySQL Documentation.

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This module has been tested against MySQL Enterprise 5.7.x and 8.0.x

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`audit` fileset settings

Example config:

- module: mysqlenterprise
  audit:
    var.input: file
    var.paths: /home/user/mysqlauditlogs/audit.*.log

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [mysqlenterprise-audit].

MySQL Enterprise ECS Fields

MySQL Enterprise Audit fields are mapped to ECS in the following way:

MySQL Enterprise Fields

ECS Fields

account.user

server.user.name

account.host

client.domain

client.user.name

client.ip

startup_data.os_version

host.os.full

startup_data.args

process.args

connection_attributes._pid

process.pid

timestamp

@timestamp

Fields

For a description of each field in the module, see the exported fields section.

NATS module

Unresolved directive in modules/nats.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is the NATS module.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The {modulename} module was tested with logs from version v1.4.0.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Dashboard

The {modulename} module comes with a predefined dashboard. For example:

Fields

For a description of each field in the module, see the exported fields section.

NetFlow module

Unresolved directive in modules/netflow.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving NetFlow and IPFIX flow records over UDP. This input supports NetFlow versions 1, 5, 6, 7, 8 and 9, as well as IPFIX. For NetFlow versions older than 9, fields are mapped automatically to NetFlow v9.

This module wraps the netflow input to enrich the flow records with geolocation information about the IP endpoints by using an {es} ingest pipeline.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

The fileset is by default configured to listen for UDP traffic on localhost:2055. For most uses cases you will want to set the netflow_host variable to allow the input bind to all interfaces so that it can receive traffic from network devices.

- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 0.0.0.0
      netflow_port: 2055

var.netflow_host: Address to bind to. Defaults to localhost.
var.netflow_port: Port to listen on. Defaults to 2055.
var.max_message_size: The maximum size of the message received over UDP. The default is 10KiB.
var.read_buffer: The size of the read buffer on the UDP socket.
var.timeout: The read and write timeout for socket operations.
var.expiration_timeout: The time before an idle session or unused template is expired. Only applicable to v9 and IPFIX protocols. A value of zero disables expiration.
var.queue_size: The maximum number of packets that can be queued for processing. Use this setting to avoid packet-loss when dealing with occasional bursts of traffic.
var.custom_definitions: A list of paths to field definitions YAML files. These allow to update the NetFlow/IPFIX fields with vendor extensions and to override existing fields. See netflow input for details.
var.detect_sequence_reset: Flag controlling whether Filebeat should monitor sequence numbers in the Netflow packets to detect an Exporting Process reset. See netflow input for details.
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the values of source.locality, destination.locality, and flow.locality. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [forwarded].

Fields

For a description of each field in the module, see the exported fields section.

Netscout module

deprecated::[8.12.0,"This module is deprecated. See Migrating from a Deprecated Filebeat Module for migration options."]

experimental[]

This is a module for receiving Arbor Peakflow SP logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`sightline` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "arborpeakflowsp" device revision 109.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9502

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Nginx module

Unresolved directive in modules/nginx.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module parses access and error logs created by the Nginx HTTP server.

ingress_controller fileset parses access logs created by ingress-nginx controller. Log patterns could be found on the controllers' docs.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The Nginx module was tested with logs from version 1.10.

On Windows, the module was tested with Nginx installed from the Chocolatey repository.

ingress_controller fileset was tested with version v0.28.0 and v0.34.1 of nginx-ingress-controller.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for access logs and error logs:

- module: nginx
  access:
    enabled: true
    var.paths: ["/path/to/log/nginx/access.log*"]
  error:
    enabled: true
    var.paths: ["/path/to/log/nginx/error.log*"]

To specify the same settings at the command line, you use:

-M "nginx.access.var.paths=[/path/to/log/nginx/access.log*]" -M "nginx.error.var.paths=[/path/to/log/nginx/error.log*]"

The following example shows how to configure ingress_controller fileset which can be used in Kubernetes environments to parse ingress-nginx logs:

- module: nginx
  ingress_controller:
    enabled: true
    var.paths: ["/path/to/log/nginx/ingress.log"]

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`access` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`error` log fileset

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`ingress_controller` log fileset

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Example dashboard

This module comes with sample dashboards. For example:

Fields

For a description of each field in the module, see the exported fields section.

Office 365 module

beta[]

Unresolved directive in modules/o365.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for Office 365 logs received via one of the Office 365 API endpoints. It currently supports user, admin, system, and policy actions and events from Office 365 and Azure AD activity logs exposed by the Office 365 Management Activity API.

The {plugins}/ingest-geoip.html[ingest-geoip] and {plugins}/ingest-user-agent.html[ingest-user_agent] Elasticsearch plugins are required to run this module.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`audit` fileset settings

The audit fileset uses the Office 365 Management Activity API to retrieve audit messages from Office 365 and Azure AD activity logs. These are the same logs that are available under Audit Log Search in the Security and Compliance Center.

Setup

To use this fileset you need to enable Audit Log Search and register an application in Azure AD.

Once this application is registered note the Application (client) ID and the Directory (tenant) ID. Then configure the authentication in the Certificates & Secrets section.

Example configuration o365.yml using client-secret authentication:

  audit:
    enabled: true
    var.application_id: "<My Azure AD Application ID>"
    var.tenants:
      - id: "<My Tenant ID>"
        name: "mytenant.onmicrosoft.com"
    var.client_secret: "<My client secret>"

Certificate-based authentication is specially useful when monitoring multiple tenants. Example configuration:

  audit:
    enabled: true
    var.application_id: "<My Azure AD Application ID>"
    var.tenants:
      - id: "<Tenant A ID>"
        name: "tenantA.onmicrosoft.com"
      - id: "<Tenant B ID>"
        name: "tenantB.onmicrosoft.com"
    var.certificate: "/path/to/certificate.pem"
    var.key: "/path/to/private_key.pem"
    var.key_passphrase: "my_passphrase" # (optional) for encrypted keys

Finally you need to add permissions in the API permissions section and grant it admin consent. Click on Add permission and select Office 365 Management APIs. The needed permissions are:

User.Read
ActivityFeed.Read
ActivityFeed.ReadDlp
ServiceHealth.Read

Once the required permissions are added, click the Grant admin consent button. Note that it can take a while for the required permissions to be in effect, so it’s possible that you observe some permission errors when running Filebeat right away.

Alternative endpoints

This module supports custom endpoints for on-prem deployments as well as alternative endpoints (GCC High endponts, U.S. DoD, European Union, etc). In order to point the module to an alternative endpoint, you need to adjust the authentication_endpoint and resource variables accordingly. For example:

    var.api:
      # default is https://login.microsoftonline.com/
      authentication_endpoint: https://login.microsoftonline.us/
      # default is https://manage.office.com
      resource: https://manage.office365.us

Configuration options

var.application_id

The Application ID (also known as client ID) of the Azure application.

var.tenants

A list of one or more tenant IDs and name pairs. Set the id field to the tenant ID (also known as Directory ID). Set the name to the host name for the tenant, that is, the Office 365 domain for your organization.

var.client_secret

The client-secret (api_key) used to authenticate your Azure AD application. This option cannot be specified at the same time as the var.certificate option.

var.certificate

Path to the certificate file used for client authentication. This option cannot be specified at the same time as the var.client_secret option.

var.key

Path to the private key file used for client authentication.

var.key_passphrase

The passphrase used to decrypt an encrypted key stored in the configured var.key file. Only set this option when the key is encrypted.

var.content_type

The list of content-types to subscribe to. By default, it subscribes to all known content-types:

Audit.AzureActiveDirectory
Audit.Exchange
Audit.SharePoint
Audit.General
DLP.All

Advanced configuration options

The following configuration options are only recomended in case of problems. They must be nested under a single var.api key, like this:

    var.api:
      authentication_endpoint: https://login.microsoftonline.com/
      resource: https://manage.office.com
      max_retention: 168h
      poll_interval: 3m
      max_requests_per_minute: 2000
      max_query_size: 24h

var.api.authentication_endpoint: The authentication endpoint used to authorize the Azure app. This is https://login.microsoftonline.com/ by default, and can be changed to access alternative endpoints.
var.api.resource: The API resource to retrieve information from. This is https://manage.office.com by default, and can be changed to access alternative endpoints.
var.api.max_retention: The maximum data retention period to support. 168h by default. Filebeat will fetch all retained data for a tenant when run for the first time. The default is 7 days, which matches the standard period that Microsoft will keep the logs before deleting them. Only increase it if your tenant has a longer retention period.
var.api.poll_interval: The interval to wait before polling the API server for new events. Default 3m.
var.api.max_requests_per_minute: The maximum number of requests to perform per minute, for each tenant. The default is 2000, as this is the server-side limit per tenant.
var.api.max_query_size: The maximum time window that API allows in a single query. Defaults to 24h to match Microsoft’s documented limit.

Example dashboard

This module comes with a sample dashboard:

Fields

For a description of each field in the module, see the exported fields section.

Okta module

Unresolved directive in modules/okta.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The Okta module collects events from the Okta API. Specifically this supports reading from the Okta System Log API.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`system` fileset settings

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the httpjson input and is configured to paginate through the logs while honoring any rate-limiting headers sent by Okta.

This is an example configuration for the module.

- module: okta
  system:
    var.url: https://yourOktaDomain/api/v1/logs
    var.api_key: '00QCjAl4MlV-WPXM...0HmjFx-vbGua'

Configuration options

var.url

Specifies the URL to the Okta System Log API. Required.

    var.url: https://mycompany.okta.com/api/v1/logs

var.api_key

Specifies the Okta API token to use in requests to the API. Required. The token is used in an HTTP Authorization header with the SSWS scheme. See Create an API token for information on how to obtain a token.

    var.api_key: '00QCjAl4MlV-WPXM...0HmjFx-vbGua'

var.http_client_timeout

Duration of the time limit on HTTP requests made by the module. Defaults to 60s.

var.interval

Duration between requests to the API. Defaults to 60s.

var.keep_original_message

Boolean flag indicating if the original JSON event string should be included in the event.original field. Defaults to true.

var.ssl

Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the ssl section is missing, the host CAs are used for HTTPS connections to Okta. See [configuration-ssl] for more information.

    var.ssl:
      supported_protocols: [TLSv1.2]

var.initial_interval

An initial interval can be defined. The first time the module starts, will fetch events from the current moment minus the initial interval value. Following restarts will fetch events starting from the last event read. It defaults to 24h.

    var.initial_interval: 24h # will fetch events starting 24h ago.

input.request.rate_limit.early_limit

You can override the default rate-limiting behavior in [filebeat-input-httpjson]. The default for the Okta module is to use up to 89% of the Okta rate-limit, which should avoid Okta Warnings on rate-limit usage.

    input.request.rate_limit.early_limit: 0.89

Example dashboard

This module comes with a sample dashboard:

Fields

For a description of each field in the module, see the exported fields section.

Oracle module

Unresolved directive in modules/oracle.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for ingesting Audit Trail logs from Oracle Databases.

The module expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the Oracle Database Audit Trail Documentation.

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This module has been tested with Oracle Database 19c, and should work for 18c as well though it has not been tested.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`database_audit` fileset settings

Example config:

- module: oracle
  database_audit:
    var.input: file
    var.paths: /home/user/oracleauditlogs/*/*.aud

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [oracle-database-audit].

Oracle Database fields

Oracle Database fields are mapped to the current ECS Fields:

Oracle Fields

ECS Fields

privilege

host.user.roles

client_user

client.user.name

userhost

client.ip/domain

database_user

server.user.name

Fields

For a description of each field in the module, see the exported fields section.

Osquery module

Unresolved directive in modules/osquery.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module collects and decodes the result logs written by osqueryd in the JSON format. To set up osqueryd follow the osquery installation instructions for your operating system and configure the filesystem logging driver (the default). Make sure UTC timestamps are enabled.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The {modulename} module was tested with logs from osquery version 2.10.2. Since the results are written in the JSON format, it is likely that this module works with any version of osquery.

This module is available on Linux, macOS, and Windows.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for the syslog and authorization logs:

- module: osquery
  result:
    enabled: true
    var.paths: ["/path/to/osqueryd.results.log*"]

To specify the same settings at the command line, you use:

-M "osquery.result.var.paths=[/path/to/osqueryd.results.log*]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`result` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.use_namespace: If true, all fields exported by this module are prefixed with osquery.result. Set to false to copy the fields in the root of the document. If enabled, this setting also disables the renaming of some fields (e.g. hostIdentifier to host_identifier). Note that if you set this to false, the sample dashboards coming with this module won’t work correctly. The default is true.

Example dashboard

This module comes with a sample dashboard for visualizing the data collected by the "compliance" pack. To collect this data, enable the it-compliance pack in the osquery configuration file.

Fields

For a description of each field in the module, see the exported fields section.

Palo Alto Networks module

Unresolved directive in modules/panw.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for Palo Alto Networks PAN-OS firewall monitoring logs received over Syslog or read from a file. It currently supports messages of Traffic and Threat types.

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This module has been tested with logs generated by devices running PAN-OS versions 7.1 to 9.0 but limited compatibility is expected for earlier versions.

The {plugins}/ingest-geoip.html[ingest-geoip] Elasticsearch plugin is required to run this module.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The module is by default configured to run via syslog on port 9001. However it can also be configured to read logs from a file. See the following example.

- module: panw
  panos:
    enabled: true
    var.paths: ["/var/log/pan-os.log"]
    var.input: "file"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`panos` fileset settings

Example config:

  panos:
    var.syslog_host: 0.0.0.0
    var.syslog_port: 514

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.syslog_host: The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The UDP port to listen for syslog traffic. Defaults to 9001

Note	Ports below 1024 require Filebeat to run as root.

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

ECS field mappings

These are the PAN-OS to ECS field mappings as well as those fields still not in ECS that are added under the panw.panos prefix:

Table 1. Traffic log mappings
PAN-OS Field	ECS Field	Non-standard field
Receive Time	event.created
Serial Number	observer.serial_number
Type	event.category
Subtype	event.action
Generated Time	`@timestamp`
Source IP	client.ip source.ip
Destination IP	server.ip destination.ip
NAT Source IP		panw.panos.source.nat.ip
NAT Destination IP		panw.panos.destination.nat.ip
Rule Name		panw.panos.ruleset
Source User	client.user.name source.user.name
Destination User	server.user.name destination.user.name
Application	network.application
Source Zone		panw.panos.source.zone
Destination Zone		panw.panos.destination.zone
Ingress Interface		panw.panos.source.interface
Egress Interface		panw.panos.destination.interface
Session ID		panw.panos.flow_id
Source Port	client.port source.port
Destination Port	destination.port server.port
NAT Source Port		panw.panos.source.nat.port
NAT Destination Port		panw.panos.destination.nat.port
Flags	labels
Protocol	network.transport
Action	event.outcome
Bytes	network.bytes
Bytes Sent	client.bytes source.bytes
Bytes Received	server.bytes destination.bytes
Packets	network.packets
Start Time	event.start
Elapsed Time	event.duration
Category		panw.panos.url.category
Sequence Number		panw.panos.sequence_number
Packets Sent	server.packets destination.packets
Packets Received	client.packets source.packets
Device Name	observer.hostname

Table 2. Threat logs mappings
PAN-OS Field	ECS Field	Non-standard field
Receive Time	event.created
Serial Number	observer.serial_number
Type	event.category
Subtype	event.action
Generated Time	`@timestamp`
Source IP	client.ip source.ip
Destination IP	server.ip destination.ip
NAT Source IP		panw.panos.source.nat.ip
NAT Destination IP		panw.panos.destination.nat.ip
Rule Name		panw.panos.ruleset
Source User	client.user.name source.user.name
Destination User	server.user.name destination.user.name
Application	network.application
Source Zone		panw.panos.source.zone
Destination Zone		panw.panos.destination.zone
Ingress Interface		panw.panos.source.interface
Egress Interface		panw.panos.destination.interface
Session ID		panw.panos.flow_id
Source Port	client.port source.port
Destination Port	destination.port server.port
NAT Source Port		panw.panos.source.nat.port
NAT Destination Port		panw.panos.destination.nat.port
Flags	labels
Protocol	network.transport
Action	event.outcome
Miscellaneous	url.original	panw.panos.threat.resource
Threat ID		panw.panos.threat.id
Category		panw.panos.url.category
Severity	log.level
Direction	network.direction
Source Location	source.geo.name
Destination Location	destination.geo.name
PCAP_id		panw.panos.network.pcap_id
Filedigest		panw.panos.file.hash
User Agent	user_agent.original
File Type	file.type
X-Forwarded-For	network.forwarded_ip
Referer	http.request.referer
Sender	source.user.email
Subject		panw.panos.subject
Recipient	destination.user.email
Device Name	observer.hostname

Example dashboard

This module comes with two sample dashboards:

Fields

For a description of each field in the module, see the exported fields section.

pensando module

The {modulename} module parses distributed firewall logs created by the Pensando distributed services card (DSC).

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The Pensando module has been tested with 1.12.0-E-54 and later.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default. The following example shows how to set parameters in the modules.d/{modulename}.yml file to listen for firewall logs sent from the Pensando DSC(s) on port 5514 (default is 9001):

- module: pensando
  access:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: [9001]

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`dfw` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Example dashboard

This module comes with a sample dashboard. For example:

Fields

For a description of each field in the module, see the exported fields section.

PostgreSQL module

Unresolved directive in modules/postgresql.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module collects and parses logs created by PostgreSQL.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This module comes in two flavours: a parser of log files based on Linux distribution defaults, and a CSV log parser, that you need to enable in database configuration.

The {modulename} module using .log was tested with logs from versions 9.5 on Ubuntu, 9.6 on Debian, and finally 10.11, 11.4 and 12.2 on Arch Linux 9.3.

The {modulename} module using .csv was tested using versions 11 and 13 (distro is not relevant here).

Supported log formats

This module can collect any logs from PostgreSQL servers, but to be able to better analyze their contents and extract more information, they should be formatted in a determined way.

There are some settings to take into account for the log format.

Log lines should be preffixed with the timestamp in milliseconds, the process id, the user id and the database name. This uses to be the default in most distributions, and is translated to this setting in the configuration file:

log_line_prefix = '%m [%p] %q%u@%d '

PostgreSQL server can be configured to log statements and their durations and this module is able to collect this information. To be able to correlate each duration with their statements, they must be logged in the same line. This happens when the following options are used:

log_duration = 'on'
log_statement = 'none'
log_min_duration_statement = 0

Setting a zero value in log_min_duration_statement will log all statements executed by a client. You probably want to configure it to a higher value, so it logs only slower statements. This value is configured in milliseconds.

When using log_statement and log_duration together, statements and durations are logged in different lines, and Filebeat is not able to correlate both values, for this reason it is recommended to disable log_statement.

Note

The PostgreSQL module of Metricbeat is also able to collect information about all statements executed in the server. You may chose which one is better for your needings. An important difference is that the Metricbeat module collects aggregated information when the statement is executed several times, but cannot know when each statement was executed. This information can be obtained from logs.

Other logging options that you may consider to enable are the following ones:

log_checkpoints = 'on';
log_connections = 'on';
log_disconnections = 'on';
log_lock_waits = 'on';

Both log_connections and log_disconnections can cause a lot of events if you don’t have persistent connections, so enable with care.

Using CSV logs

Since the PostgreSQL CSV log file is a well-defined format, there is almost no configuration to be done in Filebeat, just the filepath.

On the other hand, it’s necessary to configure postgresql to emit .csv logs. The recommended parameters are:

logging_collector = 'on';
log_destination = 'csvlog';

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for PostgreSQL logs:

- module: postgresql
  log:
    enabled: true
    var.paths: ["/path/to/log/postgres/*.log*"]

To specify the same settings at the command line, you use:

-M "postgresql.log.var.paths=[/path/to/log/postgres/*.log*]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Example dashboards

This module comes with two sample dashboards.

The first dashboard is for regular logs.

The second one shows the slowlogs of PostgreSQL. If log_min_duration_statement is not used, this dashboard will show incomplete or no data.

Fields

For a description of each field in the module, see the exported fields section.

Proofpoint module

deprecated::[8.12.0,"This module is deprecated. Use the Proofpoint TAP Elastic integration instead."]

experimental[]

Unresolved directive in modules/proofpoint.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Proofpoint Email Security logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`emailsecurity` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "proofpoint" device revision 131.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9531

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

RabbitMQ module

Unresolved directive in modules/rabbitmq.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is the module for parsing RabbitMQ log files It will only support RabbitMQ default i.e RFC 3339 timestamp format using TIMESTAMP_ISO8601.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

Parses single file format introduced in 3.7.0.

Tested with version 3.7.14.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for RabbitMQ logs:

- module: rabbitmq
  log:
    enabled: true
    var.paths: ["/path/to/log/rabbitmq/*.log*"]

To specify the same settings at the command line, you use:

-M "rabbitmq.log.var.paths=[/path/to/log/rabbitmq/*.log*]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Fields

For a description of each field in the module, see the exported fields section.

Radware module

deprecated::[8.12.0,"This module is deprecated. See Migrating from a Deprecated Filebeat Module for migration options."]

experimental[]

Unresolved directive in modules/radware.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Radware DefensePro logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`defensepro` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "radwaredp" device revision 114.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9518

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Redis module

Unresolved directive in modules/redis.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module parses logs and slowlogs created by Redis.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

The {modulename} module has two filesets:

The log fileset collects and parses the logs that Redis writes to disk.
The slowlog fileset connects to Redis via the network and retrieves the slow logs by using the SLOWLOG command.

For the log fileset, make sure the logfile option, from the Redis configuration file, is set to redis-server.log.

For the slowlog fileset, make sure the slowlog-log-slower-than option, from the Redis configuration file, is set to a lower value than the default one.

Compatibility

The Redis log fileset was tested with logs from Redis versions 1.2.6, 2.4.6, and 3.0.2, so we expect compatibility with any version 1.x, 2.x, or 3.x.

On Windows, the default paths assume that Redis was installed from the Chocolatey repository.

The Redis slowlog fileset was tested with Redis 3.0.2 and 2.4.6. We expect compatibility with any Redis version newer than 2.2.12, when the SLOWLOG command was added.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for Redis logs. It also shows how to set the host and password to retrieve slow logs:

- module: redis
  log:
    enabled: true
    var.paths: ["/path/to/log/redis/redis-server.log*"]
  slowlog:
    enabled: true
    var.hosts: ["localhost:6378"]
    var.password: "{pwd}"

To specify the same settings at the command line, you use:

-M "redis.log.var.paths=[/path/to/log/redis/redis-server.log*]" -M "redis.slowlog.var.hosts=[localhost:6378]" -M "redis.slowlog.var.password=[YOUR_PASSWORD]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`slowlog` fileset settings

var.hosts: An array of hosts to which Filebeat should connect to retrieve the slow logs. If left empty, localhost:6379 is assumed.
var.password: The password to use to connect to Redis, in case Redis authentication is enabled (the requirepass option in the Redis configuration).

Example dashboard

This module comes with a sample dashboard. For example:

Fields

For a description of each field in the module, see the exported fields section.

Salesforce module

This is a module for Salesforce logs. It collects the logs using the following two different types of inputs:

httpjson input: collects historical data from Salesforce REST API.
cometd input: collects real-time data from Salesforce Streaming API.

It includes the following filesets for receiving logs:

login-rest fileset: supports Salesforce Login logs received from the REST API.
login-stream fileset: supports Salesforce Login logs received from the Streaming API.
logout-rest fileset: supports Salesforce Logout logs received from the REST API.
logout-stream fileset: supports Salesforce Logout logs received from the Streaming API.
apex-rest fileset: supports Salesforce Apex logs received from the REST API.
setupaudittrail-rest fileset: supports logs generated when admins make in your org’s Setup area.

Note: We can leverage the inputs provided above to collect the rest of the events from the Salesforce REST or Streaming API.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

`login-rest` fileset settings

Example config:

- module: salesforce
  login-rest:
    enabled: true
    var.client_id: "my-client-id"
    var.client_secret: "my-client-secret"
    var.token_url: "https://login.salesforce.com/services/oauth2/token"
    var.user: "my.email@here.com"
    var.password: "password"
    var.url: "https://instance-url.salesforce.com"

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.client_id: Oauth client ID.
var.client_secret: Oauth client secret.
var.token_url: Oauth token URL.
var.user: The user used as part of the authentication flow. It is required for authentication - grant type password.
var.password: The password used as part of the authentication flow. It is required for authentication - grant type password.
var.url: The URL of the Saleforce instance.

`login-stream` fileset settings

Example config:

- module: salesforce
  login-stream:
    enabled: true
    var.client_id: "my-client-id"
    var.client_secret: "my-client-secret"
    var.token_url: "https://login.salesforce.com/services/oauth2/token"
    var.user: "my.email@here.com"
    var.password: "password"
    var.url: "https://instance-url.salesforce.com"

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.client_id: Oauth client ID.
var.client_secret: Oauth client secret.
var.token_url: Oauth token URL.
var.user: The user used as part of the authentication flow. It is required for authentication - grant type password.
var.password: The password used as part of the authentication flow. It is required for authentication - grant type password.
var.url: The URL of the Saleforce instance.

`logout-rest` fileset settings

Example config:

- module: salesforce
  logout-rest:
    enabled: true
    var.client_id: "my-client-id"
    var.client_secret: "my-client-secret"
    var.token_url: "https://login.salesforce.com/services/oauth2/token"
    var.user: "my.email@here.com"
    var.password: "password"
    var.url: "https://instance-url.salesforce.com"

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.client_id: Oauth client ID.
var.client_secret: Oauth client secret.
var.token_url: Oauth token URL.
var.user: The user used as part of the authentication flow. It is required for authentication - grant type password.
var.password: The password used as part of the authentication flow. It is required for authentication - grant type password.
var.url: The URL of the Saleforce instance.

`logout-stream` fileset settings

Example config:

- module: salesforce
  logout-stream:
    enabled: true
    var.client_id: "my-client-id"
    var.client_secret: "my-client-secret"
    var.token_url: "https://login.salesforce.com/services/oauth2/token"
    var.user: "my.email@here.com"
    var.password: "password"
    var.url: "https://instance-url.salesforce.com"

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.client_id: Oauth client ID.
var.client_secret: Oauth client secret.
var.token_url: Oauth token URL.
var.user: The user used as part of the authentication flow. It is required for authentication - grant type password.
var.password: The password used as part of the authentication flow. It is required for authentication - grant type password.
var.url: The URL of the Saleforce instance.

`setupaudittrail-rest` fileset settings

Example config:

- module: salesforce
  setupaudittrail-rest:
    enabled: true
    var.client_id: "my-client-id"
    var.client_secret: "my-client-secret"
    var.token_url: "https://login.salesforce.com/services/oauth2/token"
    var.user: "my.email@here.com"
    var.password: "password"
    var.url: "https://instance-url.salesforce.com"
    var.interval: 1h

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.client_id: Oauth client ID.
var.client_secret: Oauth client secret.
var.token_url: Oauth token URL.
var.user: The user used as part of the authentication flow. It is required for authentication - grant type password.
var.password: The password used as part of the authentication flow. It is required for authentication - grant type password.
var.url: The URL of the Saleforce instance.
var.interval: Period of fetching logs, i.e. 1s/1m/1h.

Note: The default value of var.interval is 1h. It is important to exercise caution when reducing the interval, as it directly affects the API rate limit of the Salesforce instance. Salesforce API rate limit is ~1000 API calls per hour. Hence if user goes with lower limit of var.interval, the Salesforce API rate limit will exceed and any additional API requests beyond the limit will result in an error response from the Salesforce API. The error message will typically indicate that the rate limit has been exceeded. Please refer to the following link for the Salesforce API Rate Limit.

`apex-rest` fileset settings

Example config:

- module: salesforce
  apex-rest:
    enabled: true
    var.client_id: "my-client-id"
    var.client_secret: "my-client-secret"
    var.token_url: "https://login.salesforce.com/services/oauth2/token"
    var.user: "my.email@here.com"
    var.password: "password"
    var.url: "https://instance-url.salesforce.com"

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.client_id: Oauth client ID.
var.client_secret: Oauth client secret.
var.token_url: Oauth token URL.
var.user: The user used as part of the authentication flow. It is required for authentication - grant type password.
var.password: The password used as part of the authentication flow. It is required for authentication - grant type password.
var.url: The URL of the Saleforce instance.

Example dashboard

This Salesforce module comes with several predefined dashboards, including Login, Logout, Apex, and Setup Audit Trails Dashboards. For example:

Fields

For a description of each field in the module, see the exported fields section.

Santa module

Unresolved directive in modules/santa.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module collects and parses logs from Google Santa, a security tool for macOS that monitors process executions and can blacklist/whitelist binaries.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The {modulename} module was tested with logs from Santa 0.9.14.

This module is available for MacOS only.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The module is by default configured to read logs from /var/log/santa.log.

- module: santa
  log:
    enabled: true
    var.paths: ["/var/log/santa.log"]
    var.input: "file"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Example dashboard

This module comes with a sample dashboard showing and overview of the processes that are executing.

Fields

For a description of each field in the module, see the exported fields section.

Snort module

deprecated::[8.12.0,"This module is deprecated. Use the Snort Elastic integration instead."]

experimental[]

Unresolved directive in modules/snort.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Snort/Sourcefire logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "snort" device revision 134.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9532

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Snyk module

beta[]

This is a module for ingesting data from the different Snyk API Endpoints. Currently supports these filesets:

vulnerabilities fileset: Collects all found vulnerabilities for the related organizations and projects
audit fileset: Collects audit logging from Snyk, this can be actions like users, permissions, groups, api access and more.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`audit` fileset settings

beta[]

To configure access for Filebeat to the Snyk Audit Log API you will have to generate an API access token as described in the Snyk Documentation

Example config:

- module: snyk
  audit:
    var.input: httpjson
    var.audit_type: organization
    var.audit_id: 1235432-asdfdf-2341234-asdgjhg
    var.interval: 1h
    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342

There is also multiple optional configuration options that can be used to filter out unwanted content, an example below:

- module: snyk
  audit:
    var.input: httpjson
    var.audit_type: organization
    var.audit_id: 1235432-asdfdf-2341234-asdgjhg
    var.interval: 1h
    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342
    var.email_address: "test@example.com"

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.first_interval: How far to look back the first time the module starts, this supports values in full days (24h, 48h etc).
var.audit_type: What audit type to collect, can be either "group" or "organization".
var.audit_id: The ID related to the audit_type. If audit type is group, then this value should be the group ID, or if it is organization it should be the organization ID to collect from.
var.api_token: The API token that is created for a specific user, found in the Snyk management dashboard.
var.project_id: Optional field for filtering, will return only logs for this specific project.
var.user_id: Optional field for filtering, user public ID. Will fetch only audit logs originated from this user’s actions.
var.event: Optional field for filtering, will return only logs for this specific event.
var.email_address: Optional field for filtering, User email address. Will fetch only audit logs originated from this user’s actions.

Snyk Audit Log ECS Fields

This is a list of Snyk Audit Log fields that are mapped to ECS.

Snyk Audit log fields

ECS Fields

groupId

user.group.id

userId

user.id

event

event.action

created

@timestamp

`vulnerabilities` fileset settings

beta[]

To configure access for Filebeat to the Snyk Vulnerabilities API you will have to generate an API access token as described in the Snyk Documentation

Example config:

- module: snyk
  vulnerabilities:
    var.input: httpjson
    var.interval: 24h
    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342
    var.orgs:
      - 12354-asdfdf-123543-asdsdfg
      - 76554-jhggfd-654342-hgrfasd

There is also multiple optional configuration options that can be used to filter out unwanted content, an example below:

- module: snyk
  vulnerabilities:
    var.input: httpjson
    var.interval: 24h
    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342
    var.orgs:
      - 12354-asdfdf-123543-asdsdfg
      - 76554-jhggfd-654342-hgrfasd
    var.included_severity:
      - medium
      - high
    var.types:
      - vuln

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.first_interval: How far to look back the first time the module starts, this supports values in full days (24h, 48h etc).
var.api_token: The API token that is created for a specific user, found in the Snyk management dashboard.
var.orgs: The list of org IDs to filter the results by. One organization ID per line, starting with a - sign
var.included_severity: Optional list of fields for filtering, the severity levels of issues to filter the results by.
var.exploit_maturit: Optional list of fields for filtering, the exploit maturity levels of issues to filter the results by.
var.types: Optional list of fields for filtering, the type of issues to filter the results by.
var.languages: Optional list of fields for filtering, the type of languages to filter the results by.
var.identifier: Optional field for filtering, search term to filter issue name by, or an exact CVE or CWE.
var.ignored: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.patched: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.fixable: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.is_fixed: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.is_patchable: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.is_pinnable: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.min_priority_score: Optional field for filtering, The minimum priority score ranging between 0-1000
var.max_priority_score: Optional field for filtering, The maximum priority score ranging between 0-1000

Snyk Audit Log ECS Fields

This is a list of Snyk Vulnerability fields that are mapped to ECS.

Fields

For a description of each field in the module, see the exported fields section.

Sonicwall module

deprecated::[8.12.0,"This module is deprecated. Use the SonicWall Firewall Elastic integration instead."]

experimental[]

Unresolved directive in modules/sonicwall.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Sonicwall-FW logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`firewall` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "sonicwall" device revision 124.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9519

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Sophos module

Unresolved directive in modules/sophos.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for Sophos Products, currently it accepts logs in syslog format or from a file for the following devices:

xg fileset: supports Sophos XG SFOS logs.
utm fileset: supports Sophos UTM logs.

To configure a remote syslog destination, please reference the SophosXG/SFOS Documentation.

The syslog format choosen in Sophos configuration should be Central Reporting Format.

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This module has been tested against SFOS version 17.5.x, 18.0.x, and 18.5.x. Versions above this and between 18.0 - 18.5 are expected to work but have not been tested.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`xg` fileset settings

The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number.

Below you will see an example configuration file, that sets the default hostname (if no serial number is included in the config file), and example on how to map serial numbers to a hostname

- module: sophos
  xg:
    enabled: true
    var.input: udp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9005
    var.default_host_name: firewall.localgroup.local
    var.known_devices:
      - serial_number: "1234567890123457"
        hostname: "a.host.local"
      - serial_number: "1234234590678557"
        hostname: "b.host.local"

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.input: The input to use, can be either the value tcp, udp or file.
var.syslog_host: The interface to listen to all syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9005.
var.host_name: Host name / Observer name, since SophosXG does not provide this in the syslog file. Default to firewall.localgroup.local

SophosXG ECS fields

This is a list of SophosXG fields that are mapped to ECS.

SophosXG Fields

ECS Fields

application

network.protocol

classification

rule.category

device_id

observer.serial_number

domainname

url.domain

dst_host

destination.address

dst_int

observer.egress.interface.name

dstzonetype

observer.egress.zone

dst_ip

destination.ip

destinationip

destination.ip

dst_mac

destination.mac

dstname

destination.address

dst_port

destination.port

dst_domainname

url.domain

duration

event.duration

filename

file.name

filetype

file.extension

file_size

file.size

file_path

file.directory

fw_rule_id

rule.id

from_email_address

source.user.email

httpstatus

http.response.status_code

in_interface

observer.ingress.interface.name

log_id

event.code

log_subtype

event.action

message

method

http.request.method

policy_type

rule.ruleset

protocol

network.transport

recv_bytes

destination.bytes

recv_pkts

destination.packets

referer

http.request.referrer

sent_bytes

source.bytes

sent_pkts

source.packets

sha1sum

file.hash.sha1

srczonetype

observer.ingress.zone

src_ip

source.ip

src_domainname

url.domain

sourceip

source.ip

src_mac

source.mac

src_port

source.port

status_code

http.response.status_code

time_zone

event.timezone

to_email_address

destination.user.email

tran_dst_ip

destination.nat.ip

tran_dst_port

destination.nat.port

tran_src_ip

source.nat.ip

tran_src_port

source.nat.port

url

url.original

user_agent

user_agent.original

useragent

user_agent.original

user_gp

source.user.group

user_name

source.user.name

ws_protocol

http.version

`utm` fileset settings

deprecated::[8.12.0,"This fileset is deprecated. Use the Sophos Elastic integration instead."]

experimental[]

Note	This was converted from RSA NetWitness log parser XML "astarosg" device revision 123.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9533

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Squid module

deprecated::[8.12.0,"This module is deprecated. See Migrating from a Deprecated Filebeat Module for migration options."]

experimental[]

Unresolved directive in modules/squid.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Squid logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "squid" device revision 112.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9520

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Suricata module

Unresolved directive in modules/suricata.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module to the Suricata IDS/IPS/NSM log. It parses logs that are in the Suricata Eve JSON format.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This module has been developed against Suricata v4.0.4, but is expected to work with other versions of Suricata.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

This is an example of how to overwrite the default log file path.

- module: suricata
  eve:
    enabled: true
    var.paths: ["/my/path/suricata.json"]

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`eve` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

Example dashboard

This module comes with sample dashboards. For example:

Fields

For a description of each field in the module, see the exported fields section.

System module

Unresolved directive in modules/system.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module collects and parses logs created by the system logging service of common Unix/Linux based distributions.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This module was tested with logs from OSes like Ubuntu 12.04, Centos 7, and macOS Sierra.

This module is not available for Windows.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for the syslog and authorization logs:

- module: system
  syslog:
    enabled: true
    var.paths: ["/path/to/log/syslog*"]
  auth:
    enabled: true
    var.paths: ["/path/to/log/auth.log*"]

To specify the same settings at the command line, you use:

-M "system.syslog.var.paths=[/path/to/log/syslog*]" -M "system.auth.var.paths=[/path/to/log/auth.log*]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`syslog` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

`auth` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Include preserve_orginal_event causes the pipeline to retain the raw log in event.original. Defaults to [].

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Example dashboards

This module comes with sample dashboards. For example:

Fields

For a description of each field in the module, see the exported fields section.

Threat Intel module

Unresolved directive in modules/threatintel.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This module ingests data from a collection of different threat intelligence sources. The ingested data is meant to be used with Indicator Match rules, but is also compatible with other features like Enrich Processors. The related threat intel attribute that is meant to be used for matching incoming source data is stored under the threat.indicator.* fields.

The available filesets are:

abuseurl: Supports gathering URL entities from Abuse.ch.
abusemalware: Supports gathering Malware/Payload entities from Abuse.ch.
misp: Supports gathering threat intel attributes from MISP (replaces MISP module).
malwarebazaar: Supports gathering Malware/Payload entities from Malware Bazaar.
otx: Supports gathering threat intel attributes from AlientVault OTX.
anomali: Supports gathering threat intel attributes from Anomali Limo.
anomalithreatstream: Supports gathering threat intel attributes from Anomali ThreatStream.
threatq: Supports gathering threat intel attributes from ThreatQuotient.

Tip	Read the quick start to learn how to configure and run modules.

`abuseurl` fileset settings

This fileset contacts the abuse.ch API and fetches all new malicious URLs found the last 60 minutes.

To configure the module, please utilize the default URL unless specified as the example below:

- module: threatintel
  abuseurl:
    enabled: true
    var.input: httpjson
    var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/
    var.interval: 60m

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.url: The URL of the API endpoint to connect with.
var.interval: How often the API is polled for updated information.
var.proxy_url: Optional URL to use as HTTP proxy.

Abuse.ch URL Threat Intel is mapped to the following ECS fields.

URL Threat Intel Fields

ECS Fields

url

threat.indicator.url.full

date_added

@timestamp

host

threat.indicator.ip/domain

`abusemalware` fileset settings

This fileset contacts the Abuse.ch API and fetches all new malicious hashes found the last 60 minutes.

To configure the module, please utilize the default URL unless specified as the example below:

- module: threatintel
  abusemalware:
    enabled: true
    var.input: httpjson
    var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/
    var.interval: 60m

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.url: The URL of the API endpoint to connect with.
var.interval: How often the API is polled for updated information.
var.proxy_url: Optional URL to use as HTTP proxy.

Abuse.ch Malware Threat Intel is mapped to the following ECS fields.

Malware Threat IntelFields

ECS Fields

md5_hash

threat.indicator.file.hash.md5

sha256_hash

threat.indicator.file.hash.sha256

file_size

threat.indicator.file.size

`malwarebazaar` fileset settings

This fileset contacts the Malware Bazaar API and fetches all new malicious hashes found the last 10 minutes.

To configure the module, please utilize the default URL unless specified as the example below:

- module: threatintel
  malwarebazaar:
    enabled: true
    var.input: httpjson
    var.url: https://mb-api.abuse.ch/api/v1/
    var.interval: 10m

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.url: The URL of the API endpoint to connect with.
var.interval: How often the API is polled for updated information.
var.proxy_url: Optional URL to use as HTTP proxy.

Malware Bazaar Threat Intel is mapped to the following ECS fields.

Malware Threat IntelFields

ECS Fields

md5_hash

threat.indicator.file.hash.md5

sha256_hash

threat.indicator.file.hash.sha256

sha384_hash

threat.indicator.file.hash.sha384

tlsh

threat.indicator.file.hash.tlsh

ssdeep

threat.indicator.file.hash.ssdeep

imphash

threat.indicator.file.pe.imphash

file_size

threat.indicator.file.size

file_name

threat.indicator.file.name

file_type_mime

threat.indicator.file.mime_type

file_type

threat.indicator.file.type

reporter

threat.indicator.provider

origin_country

threat.indicator.geo.country_iso_code

signature

threat.indicator.signature

code_sign.subject_cn

threat.indicator.file.x509.subject.common_name

code_sign.issuer_cn

threat.indicator.file.x509.issuer.common_name

code_sign.algorithm

threat.indicator.file.x509.public_key_algorithm

code_sign.valid_from

threat.indicator.file.x509.not_before

code_sign.valid_to

threat.indicator.file.x509.not_after

code_sign.serial_number

threat.indicator.file.x509.serial_number

`misp` fileset settings

This fileset communicates with a local or remote MISP server. This replaces the older MISP module.

The fileset configuration allows to set the polling interval, how far back it should look initially, and optionally any filters used to filter the results.

- module: threatintel
  misp:
    enabled: true
    var.input: httpjson
    var.url: https://SERVER/events/restSearch
    var.api_token: xVfaM3DSt8QEwO2J1ix00V4ZHJs14nq5GMsHcK6Z
    var.first_interval: 24h
    var.interval: 60m

To configure the output with filters, use fields that already exist on the MISP server, and define either a single value or multiple. By adding a filter, only events that have attributes that match the filter will be returned.

The below filters are only examples, for a full list of all fields please reference the MISP fields located on the MISP server itself.

- module: threatintel
  misp:
    enabled: true
    var.input: httpjson
    var.url: https://SERVER/events/restSearch
    var.api_token: xVfaM3DSt8QEwO2J1ix00V4ZHJs14nq5GMsHcK6Z
    var.filters:
      type: ["md5", "sha256", "url", "ip-src"]
      threat_level: 4
    var.first_interval: 24h
    var.interval: 60m

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.url: The URL of the API endpoint to connect with.
var.interval: How often the API is polled for updated information.
var.first_interval: How far back to search when retrieving events the first time Filebeat starts up. After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events.
var.filters: Dictionary of filters to apply when retrieving new events from the MISP server, this field is optional and defaults to all events. A list of available options is located at https://www.circl.lu/doc/misp/automation/#search
var.proxy_url: Optional URL to use as HTTP proxy.

MISP Threat Intel is mapped to the following ECS fields.

Malware Threat IntelFields

ECS Fields

misp.first_seen

threat.indicator.first_seen

misp.last_seen

threat.indicator.last_seen

misp.tag

tag

misp.value

threat.indicator.*

misp.value is mapped to the appropriate field dependent on attribute type.

`otx` fileset settings

To configure the module, please utilize the default URL unless specified as the example below:

- module: threatintel
  otx:
    enabled: true
    var.input: httpjson
    var.url: https://otx.alienvault.com/api/v1/indicators/export
    var.api_token: 754dcaafbcb9740dc0d119e72d5eaad699cc4a5cdbc856fc6215883842ba8142
    var.first_interval: 24h
    var.lookback_range: 2h
    var.interval: 60m

To filter only on specific indicator types, this is an example of some possible filters that are supported:

- module: threatintel
  otx:
    enabled: true
    var.input: httpjson
    var.url: https://otx.alienvault.com/api/v1/indicators/export
    var.types: "domain,IPv4,hostname,url,FileHash-SHA256"
    var.first_interval: 24h
    var.interval: 60m

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.url: The URL of the API endpoint to connect with.
var.api_token: The API key used to access OTX. This can be found on your OTX API homepage.
var.interval: How often the API is polled for updated information.
var.first_interval: How far back to search when retrieving events the first time the Filebeat starts up. After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events.
var.types: A comma delimited list of indicator types to include, defaults to all. A list of possible types to filter on can be found in the AlientVault OTX documentation.
var.proxy_url: Optional URL to use as HTTP proxy.

OTX Threat Intel is mapped to the following ECS fields.

Malware Threat Intel Fields

ECS Fields

otx.type

threat.indicator.type

otx.description

threat.indicator.description

otx.indicator

threat.indicator.*

otx.indicator is mapped to the appropriate field dependent on attribute type.

`anomali` fileset settings

To configure the module please fill in the credentials, for Anomali Limo (the free Taxii service) these are usually default credentials found at the Anomali Limo webpage Anomali Limo offers multiple sources called collections. Each collection has a specific ID, which then fits into the url used in this configuration. A list of different collections can be found using the credentials at Limo Collections.

The example below uses the collection of ID 41 as can be seen in the URL.

- module: threatintel
  anomali:
    enabled: true
    var.input: httpjson
    var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects?match[type]=indicator
    var.username: guest
    var.password: guest
    var.interval: 60m

To filter on specific types, you can define var.types as a comma delimited list of object types. This defaults to "indicators".

- module: threatintel
  anomali:
    enabled: true
    var.input: httpjson
    var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects?match[type]=indicator
    var.types: "indicators,other"
    var.username: guest
    var.password: guest
    var.interval: 60m

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.url: The URL of the API endpoint to connect with. Limo offers multiple collections of threat intelligence.
var.username: Username used to access the API.
var.password: Password used to access the API.
var.interval: How often the API is polled for updated information.
var.types: A comma delimited list of indicator types to include, defaults to all. A list of possible types to filter on can be found on the Stix 2.1 Object types page.
var.proxy_url: Optional URL to use as HTTP proxy.

Anomali Threat Intel is mapped to the following ECS fields.

Malware Threat Intel Fields

ECS Fields

anomali.description

threat.indicator.description

anomali.created

threat.indicator.first_seen

anomali.modified

threat.indicator.last_seen

anomali.pattern

threat.indicator.*

anomali.labels

`anomalithreatstream` fileset settings

To configure the ThreatStream integration you first need to define an output in the Anomali ThreatStream Integrator using the Elastic SDK provided by Anomali. It will deliver indicators via HTTP or HTTPS to a Filebeat instance running as a server.

Configure an Integrator output with the following settings:

Indicator Filter: * (or use any desired filter).
SDK Executable Command: /path/to/python /path/to/anomali-sdk/main.py. Adjust the paths to the python executable and the directory where the Elastic SDK has been unpacked.
Metadata in JSON Format: {"url": "https://filebeat:8080/", "server_certificate": "/path/to/cert.pem", "secret": "my secret"}.
- url: Use the host and port where Filebeat will be running, and http or https accordingly.
- server_certificate: If using HTTPS, absolute path to the server certificate. Otherwise don’t set this field.
- secret: A shared secret string to authenticate messages between the SDK and Filebeat.

Then configure the anomalithreatstream fileset in Filebeat accordingly:

- module: threatintel
  anomalithreatstream:
    enabled: true
    var.input: http_endpoint
    var.listen_address: 0.0.0.0 # Listen on all interfaces.
    var.listen_port: 8080
    var.secret: 'my secret'
    var.ssl_certificate: path/to/server_ssl_cert.pem
    var.ssl_key: path/to/ssl_key.pem

var.listen_address: Local address to bind the HTTP server to. Use 0.0.0.0 to accept connections from all interfaces.
var.listen_port: Port number to use for the HTTP server.
var.secret: Shared secret between the SDK and Filebeat, used to authenticate messages.
var.ssl_certificate: Path to the public SSL certificate for the HTTPS server. If unset, Filebeat will use unsecure HTTP connections.
var.ssl_key: Path to the certificate’s private key.

Anomali ThreatStream fields are mapped to the following ECS fields:

ThreatStream fields

ECS Fields

asn

threat.indicator.as.number

classification[1]

threat.indicator.marking.tlp

confidence[1]

threat.indicator.confidence

country

threat.indicator.geo.country_iso_code

date_first

threat.indicator.first_seen

date_last

threat.indicator.last_seen

detail

Dashboards

This module comes with dashboards for the threat information feeds.

Overview of the information provided, and the health of, the Threat Intel module.

Overview of the information provided by the Abuse.ch Malware feed.

Overview of the information provided by the Abuse.ch URL feed.

Overview of the information provided by the AlienVault OTX feed.

Overview of the information provided by the Anomali Limo and Anomali ThreatStream feeds.

Overview of the information provided by the MISP feed.

`threatq` fileset settings

The threatq fileset fetches intelligence from the ThreatQuotient API.

The ThreatQ module requires you to set a valid URL, combination of Oauth2 credentials and the ID of the collection to retrieve indicators from. By default the indicators will be collected every 1 minute, and deduplication is handled by the API itself.

Sample configuration:

- module: threatintel
  threatq:
    enabled: true
    var.input: httpjson
    var.host: https://testurl.threatq.com/
    var.token_url: https://testurl.threatq.com/api/token
    var.client_id: oauthclient
    var.client_secret: 123abcd
    var.interval: 1m
    var.data_collection_id: "fsd2f54fsg2sf"

var.url: The URL of the API endpoint to connect with.
var.client_id: The Oauth2 client ID to be used for authentication.
var.client_secret: The Oauth2 secret related to the client_id.
var.interval: How often the API is polled for updated information.
var.proxy_url: Optional URL to use as HTTP proxy.
var.http_client_timeout: Optional value to override the default HTTP timeout of 30 seconds.

ThreatQ fields are mapped to the following ECS fields:

ThreatQ fields

ECS Fields

type.name

threat.indicator.type

description

threat.indicator.description

score

threat.indicator.confidence

value

threat.indicator.{url,ip,domain,file.hash}

sources

threat.indicator.provider

Dashboards

This module comes with dashboards for the threat information feeds.

Overview of the information provided, and the health of, the Threat Intel module.

Overview of the information provided by the Abuse.ch Malware feed.

Overview of the information provided by the Abuse.ch URL feed.

Overview of the information provided by the AlienVault OTX feed.

Overview of the information provided by the Anomali Limo and Anomali ThreatStream feeds.

Overview of the information provided by the MISP feed.

Overview of the information provided by the ThreatQuotient feed.

Fields

For a description of each field in the module, see the exported fields section.

Tomcat module

deprecated::[8.12.0,"This module is deprecated. Use the Apache Tomcat Elastic integration instead."]

experimental[]

Unresolved directive in modules/tomcat.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Apache Tomcat access logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`log` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "apachetomcat" device revision 105.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.paths: The paths from which files are read. Needs to be a list. Only works when var.input is set to file.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9501

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Traefik module

Unresolved directive in modules/traefik.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module parses access logs created by Træfik.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
Deploys dashboards for visualizing the log data

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for Træfik logs:

- module: traefik
  access:
    enabled: true
    var.paths: ["/usr/local/traefik/access.log*"]

To specify the same settings at the command line, you use:

-M "traefik.access.var.paths=[/path/to/traefik/access.log*]"

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`access` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Example dashboards

This module comes with sample dashboards. For example:

Fields

For a description of each field in the module, see the exported fields section.

Zeek (Bro) Module

Unresolved directive in modules/zeek.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for Zeek, which used to be called Bro. It parses logs that are in the Zeek JSON format.

The Zeek SSL fileset will handle fields from these scripts if they are installed in Zeek.

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

This module has been developed against Zeek 2.6.1, but is expected to work with newer versions of Zeek.

Zeek requires a Unix-like platform, and it currently supports Linux, FreeBSD, and Mac OS X.

`capture_loss` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].

`connection` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`dce_rpc` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`dhcp` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`dnp3` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`dns` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`dpd` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`files` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].

`ftp` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`files` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`http` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`intel` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`irc` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`kerberos` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`modbus` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`mysql` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`notice` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`ntls` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`ntp` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`ocsp` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].

`pe` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].

`radius` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`rdp` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`rfb` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`signature` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`sip` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`smb_cmd` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`smb_files` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`smb_mapping` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`smtp` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`snmp` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`socks` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`ssh` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`ssl` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`stats` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].

`syslog` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`traceroute` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`tunnel` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`weird` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].
var.internal_networks: A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of network.direction. The values can be either a CIDR value or one of the named ranges supported by the network condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.

`x509` log fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.tags: A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [suricata].

Example dashboard

This module comes with a sample dashboard. For example:

Fields

For a description of each field in the module, see the exported fields section.

ZooKeeper module

Unresolved directive in modules/zookeeper.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

The {modulename} module collects and parses the logs created by Apache ZooKeeper

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an {es} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Tip	Read the quick start to learn how to configure and run modules.

Compatibility

The {modulename} module was tested with logs from versions 3.7.0.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

The following example shows how to set paths in the modules.d/{modulename}.yml file to override the default paths for logs:

- module: zookeeper
  audit:
    enabled: true
    var.paths:
      - "/path/to/logs/zookeeper_audit.log*"
  log:
    enabled: true
    var.paths:
      - "/path/to/logs/zookeeper.log*"

To specify the same settings at the command line, you use:

-M "zookeeper.audit.var.paths=[/path/to/logs/zookeeper_audit.log*]" -M "zookeeper.log.var.paths=[/path/to/logs/zookeeper.log*]"

Audit logging

Audit logging is available since Zookeeper 3.6.0, but it is disabled by default. To enable it, you can add the following setting to the configuration file:

audit.enable=true

`audit` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

`log` fileset settings

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

Time zone support

To disable this conversion, the event.timezone field can be removed with the drop_fields processor.

See Filter and enhance data with processors for information about specifying processors in your config.

Fields

For a description of each field in the module, see the exported fields section.

Zoom module

Unresolved directive in modules/zoom.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for Zoom webhook logs. The module creates an HTTP listener that accepts incoming webhooks from Zoom.

To configure Zoom to send webhooks to the filebeat module, please follow the Zoom Documentation.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`webhook` fileset settings

When a webhook integration is created on Zoom, you can create a custom header to verify webhook events. See Custom Header for more information about this process. This is configured with the secret.header and secret.value settings as shown below.

On the other hand, Zoom also requires webhook validation for created or modified webhooks after October, 2022. This follows a challenge-response check (CRC) algorithm which is configured with the crc.enabled and crc.secret settings. Learn more about it at Validate your webhook endpoint.

Example config:

- module: zoom
  webhook:
    enabled: true
    var.input: http_endpoint
    var.listen_address: 0.0.0.0
    var.listen_port: 8080
    var.secret.header: x-my-custom-key
    var.secret.value: my-custom-value
    var.crc.enabled: true
    var.crc.secret: ZOOMSECRETTOKEN

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log//.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.listen_address: The IP address of the interface the module should listen on. Also supports 0.0.0.0 to listen on all interfaces.
var.listen_port: The port the module should be listening on.
var.ssl: Configuration options for SSL parameters like the SSL certificate and CA to use for the HTTP(s) listener See [configuration-ssl] for more information.

Fields

For a description of each field in the module, see the exported fields section.

Zscaler module

deprecated::[8.12.0,"This module is deprecated. Use the Zscaler Internet Access Elastic integration instead."]

experimental[]

Unresolved directive in modules/zscaler.asciidoc - include::/github/workspace/../../libbeat/docs/shared/integration-link.asciidoc[]

This is a module for receiving Zscaler NSS logs over Syslog or a file.

Tip	Read the quick start to learn how to configure and run modules.

Configure the module

You can further refine the behavior of the {modulename} module by specifying variable settings in the modules.d/{modulename}.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the {modulename} module uses the defaults.

For advanced use cases, you can also override input settings. See [advanced-settings].

Tip	When you specify a setting at the command line, remember to prefix the setting with the module name, for example, {modulename}.{fileset_ex}.var.paths instead of {fileset_ex}.var.paths.

`zia` fileset settings

experimental[]

Note	This was converted from RSA NetWitness log parser XML "zscalernss" device revision 108.

var.input: The input from which messages are read. One of file, tcp or udp. Defaults to udp.
var.syslog_host: The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port: The port to listen for syslog traffic. Defaults to 9521

Note	Ports below 1024 require Filebeat to run as root.

var.tz_offset: By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields: Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
var.keep_raw_fields: Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

For a description of each field in the module, see the exported fields section.

Exported fields

ActiveMQ fields

Module for parsing ActiveMQ log files.

activemq

activemq.caller: Name of the caller issuing the logging request (class or resource).

type: keyword
activemq.thread: Thread that generated the logging event.

type: keyword
activemq.user: User that generated the logging event.

type: keyword

audit

Fields from ActiveMQ audit logs.

log

Fields from ActiveMQ application logs.

activemq.log.stack_trace: type: keyword

Apache fields

Apache Module

apache

Apache fields.

access

Contains fields for the Apache HTTP Server access logs.

apache.access.ssl.protocol: SSL protocol version.

type: keyword
apache.access.ssl.cipher: SSL cipher name.

type: keyword

error

Fields from the Apache error logs.

apache.error.module: The module producing the logged message.

type: keyword

Auditd fields

Module for parsing auditd logs.

user.terminal: Terminal or tty device on which the user is performing the observed activity.

type: keyword
user.audit.id: One or multiple unique identifiers of the user.

type: keyword
user.audit.name: Short name or login of the user.

type: keyword

example: albert
user.audit.group.id: Unique identifier for the group on the system/platform.

type: keyword
user.audit.group.name: Name of the group.

type: keyword
user.filesystem.id: One or multiple unique identifiers of the user.

type: keyword
user.filesystem.name: Short name or login of the user.

type: keyword

example: albert
user.filesystem.group.id: Unique identifier for the group on the system/platform.

type: keyword
user.filesystem.group.name: Name of the group.

type: keyword
user.owner.id: One or multiple unique identifiers of the user.

type: keyword
user.owner.name: Short name or login of the user.

type: keyword

example: albert
user.owner.group.id: Unique identifier for the group on the system/platform.

type: keyword
user.owner.group.name: Name of the group.

type: keyword
user.saved.id: One or multiple unique identifiers of the user.

type: keyword
user.saved.name: Short name or login of the user.

type: keyword

example: albert
user.saved.group.id: Unique identifier for the group on the system/platform.

type: keyword
user.saved.group.name: Name of the group.

type: keyword

auditd

Fields from the auditd logs.

log

Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type.

auditd.log.old_auid: For login events this is the old audit ID used for the user prior to this login.
auditd.log.new_auid: For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
auditd.log.old_ses: For login events this is the old session ID used for the user prior to this login.
auditd.log.new_ses: For login events this is the new session ID. It can be used to tie a user to future events by session ID.
auditd.log.sequence: The audit event sequence number.

type: long
auditd.log.items: The number of items in an event.
auditd.log.item: The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.
auditd.log.tty: type: keyword
auditd.log.a0: The first argument to the system call.
auditd.log.addr: type: ip
auditd.log.rport: type: long
auditd.log.laddr: type: ip
auditd.log.lport: type: long
auditd.log.acct: type: alias

alias to: user.name
auditd.log.pid: type: alias

alias to: process.pid
auditd.log.ppid: type: alias

alias to: process.parent.pid
auditd.log.res: type: alias

alias to: event.outcome
auditd.log.record_type: type: alias

alias to: event.action
auditd.log.geoip.continent_name: type: alias

alias to: source.geo.continent_name
auditd.log.geoip.country_iso_code: type: alias

alias to: source.geo.country_iso_code
auditd.log.geoip.location: type: alias

alias to: source.geo.location
auditd.log.geoip.region_name: type: alias

alias to: source.geo.region_name
auditd.log.geoip.city_name: type: alias

alias to: source.geo.city_name
auditd.log.geoip.region_iso_code: type: alias

alias to: source.geo.region_iso_code
auditd.log.arch: type: alias

alias to: host.architecture
auditd.log.gid: type: alias

alias to: user.group.id
auditd.log.uid: type: alias

alias to: user.id
auditd.log.agid: type: alias

alias to: user.audit.group.id
auditd.log.auid: type: alias

alias to: user.audit.id
auditd.log.fsgid: type: alias

alias to: user.filesystem.group.id
auditd.log.fsuid: type: alias

alias to: user.filesystem.id
auditd.log.egid: type: alias

alias to: user.effective.group.id
auditd.log.euid: type: alias

alias to: user.effective.id
auditd.log.sgid: type: alias

alias to: user.saved.group.id
auditd.log.suid: type: alias

alias to: user.saved.id
auditd.log.ogid: type: alias

alias to: user.owner.group.id
auditd.log.ouid: type: alias

alias to: user.owner.id
auditd.log.comm: type: alias

alias to: process.name
auditd.log.exe: type: alias

alias to: process.executable
auditd.log.terminal: type: alias

alias to: user.terminal
auditd.log.msg: type: alias

alias to: message
auditd.log.src: type: alias

alias to: source.address
auditd.log.dst: type: alias

alias to: destination.address

AWS fields

Module for handling logs from AWS.

aws

Fields from AWS logs.

cloudtrail

Fields for AWS CloudTrail logs.

aws.cloudtrail.event_version: The CloudTrail version of the log event format.

type: keyword

user_identity

The userIdentity element contains details about the type of IAM identity that made the request, and which credentials were used. If temporary credentials were used, the element shows how the credentials were obtained.

aws.cloudtrail.user_identity.type: The type of the identity

type: keyword
aws.cloudtrail.user_identity.arn: The Amazon Resource Name (ARN) of the principal that made the call.

type: keyword
aws.cloudtrail.user_identity.access_key_id: The access key ID that was used to sign the request.

type: keyword

session_context

If the request was made with temporary security credentials, an element that provides information about the session that was created for those credentials

aws.cloudtrail.user_identity.session_context.mfa_authenticated: The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false.

type: keyword
aws.cloudtrail.user_identity.session_context.creation_date: The date and time when the temporary security credentials were issued.

type: date

session_issuer

If the request was made with temporary security credentials, an element that provides information about how the credentials were obtained.

aws.cloudtrail.user_identity.session_context.session_issuer.type: The source of the temporary security credentials, such as Root, IAMUser, or Role.

type: keyword
aws.cloudtrail.user_identity.session_context.session_issuer.principal_id: The internal ID of the entity that was used to get credentials.

type: keyword
aws.cloudtrail.user_identity.session_context.session_issuer.arn: The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials.

type: keyword
aws.cloudtrail.user_identity.session_context.session_issuer.account_id: The account that owns the entity that was used to get credentials.

type: keyword
aws.cloudtrail.user_identity.invoked_by: The name of the AWS service that made the request, such as Amazon EC2 Auto Scaling or AWS Elastic Beanstalk.

type: keyword
aws.cloudtrail.error_code: The AWS service error if the request returns an error.

type: keyword
aws.cloudtrail.error_message: If the request returns an error, the description of the error.

type: keyword
aws.cloudtrail.request_parameters: The parameters, if any, that were sent with the request.

type: keyword
aws.cloudtrail.request_parameters.text: type: text
aws.cloudtrail.response_elements: The response element for actions that make changes (create, update, or delete actions).

type: keyword
aws.cloudtrail.response_elements.text: type: text
aws.cloudtrail.additional_eventdata: Additional data about the event that was not part of the request or response.

type: keyword
aws.cloudtrail.additional_eventdata.text: type: text
aws.cloudtrail.request_id: The value that identifies the request. The service being called generates this value.

type: keyword
aws.cloudtrail.event_type: Identifies the type of event that generated the event record.

type: keyword
aws.cloudtrail.api_version: Identifies the API version associated with the AwsApiCall eventType value.

type: keyword
aws.cloudtrail.management_event: A Boolean value that identifies whether the event is a management event.

type: keyword
aws.cloudtrail.read_only: Identifies whether this operation is a read-only operation.

type: keyword

resources

A list of resources accessed in the event.

aws.cloudtrail.resources.arn

Resource ARNs

type: keyword

aws.cloudtrail.resources.account_id

Account ID of the resource owner

type: keyword

aws.cloudtrail.resources.type

Resource type identifier in the format: AWS::aws-service-name::data-type-name

type: keyword

aws.cloudtrail.recipient_account_id

Represents the account ID that received this event.

type: keyword

aws.cloudtrail.service_event_details

Identifies the service event, including what triggered the event and the result.

type: keyword

aws.cloudtrail.service_event_details.text

type: text

aws.cloudtrail.shared_event_id

GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts.

type: keyword

aws.cloudtrail.vpc_endpoint_id

Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3.

type: keyword

aws.cloudtrail.event_category

Shows the event category that is used in LookupEvents calls.

For management events, the value is management.
For data events, the value is data.
For Insights events, the value is insight.

type: keyword

console_login

Fields specific to ConsoleLogin events

additional_eventdata

Additional Event Data for ConsoleLogin events

aws.cloudtrail.console_login.additional_eventdata.mobile_version: Identifies whether ConsoleLogin was from mobile version

type: boolean
aws.cloudtrail.console_login.additional_eventdata.login_to: URL for ConsoleLogin

type: keyword
aws.cloudtrail.console_login.additional_eventdata.mfa_used: Identifies whether multi factor authentication was used during ConsoleLogin

type: boolean

flattened

ES flattened datatype for objects where the subfields aren’t known in advance.

aws.cloudtrail.flattened.additional_eventdata: Additional data about the event that was not part of the request or response.

type: flattened
aws.cloudtrail.flattened.request_parameters: The parameters, if any, that were sent with the request.

type: flattened
aws.cloudtrail.flattened.response_elements: The response element for actions that make changes (create, update, or delete actions).

type: flattened
aws.cloudtrail.flattened.service_event_details: Identifies the service event, including what triggered the event and the result.

type: flattened

digest

Fields from Cloudtrail Digest Logs

aws.cloudtrail.digest.log_files: A list of Logfiles contained in the digest.

type: nested
aws.cloudtrail.digest.start_time: The starting UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail.

type: date
aws.cloudtrail.digest.end_time: The ending UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail.

type: date
aws.cloudtrail.digest.s3_bucket: The name of the Amazon S3 bucket to which the current digest file has been delivered.

type: keyword
aws.cloudtrail.digest.s3_object: The Amazon S3 object key (that is, the Amazon S3 bucket location) of the current digest file.

type: keyword
aws.cloudtrail.digest.newest_event_time: The UTC time of the most recent event among all of the events in the log files in the digest.

type: date
aws.cloudtrail.digest.oldest_event_time: The UTC time of the oldest event among all of the events in the log files in the digest.

type: date
aws.cloudtrail.digest.previous_s3_bucket: The Amazon S3 bucket to which the previous digest file was delivered.

type: keyword
aws.cloudtrail.digest.previous_hash_algorithm: The name of the hash algorithm that was used to hash the previous digest file.

type: keyword
aws.cloudtrail.digest.public_key_fingerprint: The hexadecimal encoded fingerprint of the public key that matches the private key used to sign this digest file.

type: keyword
aws.cloudtrail.digest.signature_algorithm: The algorithm used to sign the digest file.

type: keyword
aws.cloudtrail.insight_details: Shows information about the underlying triggers of an Insights event, such as event source, user agent, statistics, API name, and whether the event is the start or end of the Insights event.

type: flattened

cloudwatch

Fields for AWS CloudWatch logs.

aws.cloudwatch.message: CloudWatch log message.

type: text

ec2

Fields for AWS EC2 logs in CloudWatch.

aws.ec2.ip_address: The internet address of the requester.

type: keyword

elb

Fields for AWS ELB logs.

aws.elb.name: The name of the load balancer.

type: keyword
aws.elb.type: The type of the load balancer for v2 Load Balancers.

type: keyword
aws.elb.target_group.arn: The ARN of the target group handling the request.

type: keyword
aws.elb.listener: The ELB listener that received the connection.

type: keyword
aws.elb.protocol: The protocol of the load balancer (http or tcp).

type: keyword
aws.elb.request_processing_time.sec: The total time in seconds since the connection or request is received until it is sent to a registered backend.

type: float
aws.elb.backend_processing_time.sec: The total time in seconds since the connection is sent to the backend till the backend starts responding.

type: float
aws.elb.response_processing_time.sec: The total time in seconds since the response is received from the backend till it is sent to the client.

type: float
aws.elb.connection_time.ms: The total time of the connection in milliseconds, since it is opened till it is closed.

type: long
aws.elb.tls_handshake_time.ms: The total time for the TLS handshake to complete in milliseconds once the connection has been established.

type: long
aws.elb.backend.ip: The IP address of the backend processing this connection.

type: keyword
aws.elb.backend.port: The port in the backend processing this connection.

type: keyword
aws.elb.backend.http.response.status_code: The status code from the backend (status code sent to the client from ELB is stored in http.response.status_code

type: keyword
aws.elb.ssl_cipher: The SSL cipher used in TLS/SSL connections.

type: keyword
aws.elb.ssl_protocol: The SSL protocol used in TLS/SSL connections.

type: keyword
aws.elb.chosen_cert.arn: The ARN of the chosen certificate presented to the client in TLS/SSL connections.

type: keyword
aws.elb.chosen_cert.serial: The serial number of the chosen certificate presented to the client in TLS/SSL connections.

type: keyword
aws.elb.incoming_tls_alert: The integer value of TLS alerts received by the load balancer from the client, if present.

type: keyword
aws.elb.tls_named_group: The TLS named group.

type: keyword
aws.elb.trace_id: The contents of the X-Amzn-Trace-Id header.

type: keyword
aws.elb.matched_rule_priority: The priority value of the rule that matched the request, if a rule matched.

type: keyword
aws.elb.action_executed: The action executed when processing the request (forward, fixed-response, authenticate…). It can contain several values.

type: keyword
aws.elb.redirect_url: The URL used if a redirection action was executed.

type: keyword
aws.elb.error.reason: The error reason if the executed action failed.

type: keyword
aws.elb.target_port: List of IP addresses and ports for the targets that processed this request.

type: keyword
aws.elb.target_status_code: List of status codes from the responses of the targets.

type: keyword
aws.elb.classification: The classification for desync mitigation.

type: keyword
aws.elb.classification_reason: The classification reason code.

type: keyword

s3access

Fields for AWS S3 server access logs.

aws.s3access.bucket_owner: The canonical user ID of the owner of the source bucket.

type: keyword
aws.s3access.bucket: The name of the bucket that the request was processed against.

type: keyword
aws.s3access.remote_ip: The apparent internet address of the requester.

type: ip
aws.s3access.requester: The canonical user ID of the requester, or a - for unauthenticated requests.

type: keyword
aws.s3access.request_id: A string generated by Amazon S3 to uniquely identify each request.

type: keyword
aws.s3access.operation: The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT.

type: keyword
aws.s3access.key: The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter.

type: keyword
aws.s3access.request_uri: The Request-URI part of the HTTP request message.

type: keyword
aws.s3access.http_status: The numeric HTTP status code of the response.

type: long
aws.s3access.error_code: The Amazon S3 Error Code, or "-" if no error occurred.

type: keyword
aws.s3access.bytes_sent: The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero.

type: long
aws.s3access.object_size: The total size of the object in question.

type: long
aws.s3access.total_time: The number of milliseconds the request was in flight from the server’s perspective.

type: long
aws.s3access.turn_around_time: The number of milliseconds that Amazon S3 spent processing your request.

type: long
aws.s3access.referrer: The value of the HTTP Referrer header, if present.

type: keyword
aws.s3access.user_agent: The value of the HTTP User-Agent header.

type: keyword
aws.s3access.version_id: The version ID in the request, or "-" if the operation does not take a versionId parameter.

type: keyword
aws.s3access.host_id: The x-amz-id-2 or Amazon S3 extended request ID.

type: keyword
aws.s3access.signature_version: The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests.

type: keyword
aws.s3access.cipher_suite: The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP.

type: keyword
aws.s3access.authentication_type: The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests.

type: keyword
aws.s3access.host_header: The endpoint used to connect to Amazon S3.

type: keyword
aws.s3access.tls_version: The Transport Layer Security (TLS) version negotiated by the client.

type: keyword

vpcflow

Fields for AWS VPC flow logs.

aws.vpcflow.version: The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3.

type: keyword
aws.vpcflow.account_id: The AWS account ID for the flow log.

type: keyword
aws.vpcflow.interface_id: The ID of the network interface for which the traffic is recorded.

type: keyword
aws.vpcflow.action: The action that is associated with the traffic, ACCEPT or REJECT.

type: keyword
aws.vpcflow.log_status: The logging status of the flow log, OK, NODATA or SKIPDATA.

type: keyword
aws.vpcflow.instance_id: The ID of the instance that’s associated with network interface for which the traffic is recorded, if the instance is owned by you.

type: keyword
aws.vpcflow.pkt_srcaddr: The packet-level (original) source IP address of the traffic.

type: ip
aws.vpcflow.pkt_dstaddr: The packet-level (original) destination IP address for the traffic.

type: ip
aws.vpcflow.vpc_id: The ID of the VPC that contains the network interface for which the traffic is recorded.

type: keyword
aws.vpcflow.subnet_id: The ID of the subnet that contains the network interface for which the traffic is recorded.

type: keyword
aws.vpcflow.tcp_flags: The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST

type: keyword
aws.vpcflow.tcp_flags_array: List of TCP flags: 'fin, syn, rst, psh, ack, urg'

type: keyword
aws.vpcflow.type: The type of traffic: IPv4, IPv6, or EFA.

type: keyword

AWS CloudWatch fields

Fields from AWS CloudWatch logs.

awscloudwatch

Fields from AWS CloudWatch logs. Deprecated: Use aws.cloudwatch.* instead

awscloudwatch.log_group: The name of the log group to which this event belongs. Deprecated: Use aws.cloudwatch.log_group instead

type: keyword
awscloudwatch.log_stream: The name of the log stream to which this event belongs. Deprecated: Use aws.cloudwatch.log_stream instead

type: keyword
awscloudwatch.ingestion_time: The time the event was ingested in AWS CloudWatch. Deprecated: Use aws.cloudwatch.ingestion_time instead

type: keyword

aws.cloudwatch

Fields from AWS CloudWatch logs.

aws.cloudwatch.log_group: The name of the log group to which this event belongs.

type: keyword
aws.cloudwatch.log_stream: The name of the log stream to which this event belongs.

type: keyword
aws.cloudwatch.ingestion_time: The time the event was ingested in AWS CloudWatch.

type: keyword

AWS Fargate fields

Module for collecting container logs from Amazon ECS Fargate.

awsfargate

Fields from Amazon ECS Fargate logs.

log

Fields for Amazon Fargate container logs.

Azure fields

Azure Module

azure

azure.subscription_id: Azure subscription ID

type: keyword
azure.correlation_id: Correlation ID

type: keyword
azure.tenant_id: tenant ID

type: keyword

resource

Resource

azure.resource.id: Resource ID

type: keyword
azure.resource.group: Resource group

type: keyword
azure.resource.provider: Resource type/namespace

type: keyword
azure.resource.namespace: Resource type/namespace

type: keyword
azure.resource.name: Name

type: keyword
azure.resource.authorization_rule: Authorization rule

type: keyword

activitylogs

Fields for Azure activity logs.

azure.activitylogs.identity_name: identity name

type: keyword

identity

Identity

claims_initiated_by_user

Claims initiated by user

azure.activitylogs.identity.claims_initiated_by_user.name: Name

type: keyword
azure.activitylogs.identity.claims_initiated_by_user.givenname: Givenname

type: keyword
azure.activitylogs.identity.claims_initiated_by_user.surname: Surname

type: keyword
azure.activitylogs.identity.claims_initiated_by_user.fullname: Fullname

type: keyword
azure.activitylogs.identity.claims_initiated_by_user.schema: Schema

type: keyword
azure.activitylogs.identity.claims.*: Claims

type: object

authorization

Authorization

azure.activitylogs.identity.authorization.scope: Scope

type: keyword
azure.activitylogs.identity.authorization.action: Action

type: keyword

evidence

Evidence

azure.activitylogs.identity.authorization.evidence.role_assignment_scope: Role assignment scope

type: keyword
azure.activitylogs.identity.authorization.evidence.role_definition_id: Role definition ID

type: keyword
azure.activitylogs.identity.authorization.evidence.role: Role

type: keyword
azure.activitylogs.identity.authorization.evidence.role_assignment_id: Role assignment ID

type: keyword
azure.activitylogs.identity.authorization.evidence.principal_id: Principal ID

type: keyword
azure.activitylogs.identity.authorization.evidence.principal_type: Principal type

type: keyword
azure.activitylogs.tenant_id: Tenant ID

type: keyword
azure.activitylogs.level: Level

type: long
azure.activitylogs.operation_version: Operation version

type: keyword
azure.activitylogs.operation_name: Operation name

type: keyword
azure.activitylogs.result_type: Result type

type: keyword
azure.activitylogs.result_signature: Result signature

type: keyword
azure.activitylogs.category: Category

type: keyword
azure.activitylogs.event_category: Event Category

type: keyword
azure.activitylogs.properties: Properties

type: flattened

auditlogs

Fields for Azure audit logs.

azure.auditlogs.category: The category of the operation. Currently, Audit is the only supported value.

type: keyword
azure.auditlogs.operation_name: The operation name

type: keyword
azure.auditlogs.operation_version: The operation version

type: keyword
azure.auditlogs.identity: Identity

type: keyword
azure.auditlogs.tenant_id: Tenant ID

type: keyword
azure.auditlogs.result_signature: Result signature

type: keyword

properties

The audit log properties

azure.auditlogs.properties.result: Log result

type: keyword
azure.auditlogs.properties.activity_display_name: Activity display name

type: keyword
azure.auditlogs.properties.result_reason: Reason for the log result

type: keyword
azure.auditlogs.properties.correlation_id: Correlation ID

type: keyword
azure.auditlogs.properties.logged_by_service: Logged by service

type: keyword
azure.auditlogs.properties.operation_type: Operation type

type: keyword
azure.auditlogs.properties.id: ID

type: keyword
azure.auditlogs.properties.activity_datetime: Activity timestamp

type: date
azure.auditlogs.properties.category: category

type: keyword

target_resources.*

Target resources

azure.auditlogs.properties.target_resources..display_name*: Display name

type: keyword
azure.auditlogs.properties.target_resources..id*: ID

type: keyword
azure.auditlogs.properties.target_resources..type*: Type

type: keyword
azure.auditlogs.properties.target_resources..ip_address*: ip Address

type: keyword
azure.auditlogs.properties.target_resources..user_principal_name*: User principal name

type: keyword

modified_properties.*

Modified properties

azure.auditlogs.properties.target_resources..modified_properties..new_value: New value

type: keyword
azure.auditlogs.properties.target_resources..modified_properties..display_name: Display value

type: keyword
azure.auditlogs.properties.target_resources..modified_properties..old_value: Old value

type: keyword

initiated_by

Information regarding the initiator

app

App

azure.auditlogs.properties.initiated_by.app.servicePrincipalName: Service principal name

type: keyword
azure.auditlogs.properties.initiated_by.app.displayName: Display name

type: keyword
azure.auditlogs.properties.initiated_by.app.appId: App ID

type: keyword
azure.auditlogs.properties.initiated_by.app.servicePrincipalId: Service principal ID

type: keyword

user

User

azure.auditlogs.properties.initiated_by.user.userPrincipalName: User principal name

type: keyword
azure.auditlogs.properties.initiated_by.user.displayName: Display name

type: keyword
azure.auditlogs.properties.initiated_by.user.id: ID

type: keyword
azure.auditlogs.properties.initiated_by.user.ipAddress: ip Address

type: keyword

platformlogs

Fields for Azure platform logs.

azure.platformlogs.operation_name: Operation name

type: keyword
azure.platformlogs.result_type: Result type

type: keyword
azure.platformlogs.result_signature: Result signature

type: keyword
azure.platformlogs.category: Category

type: keyword
azure.platformlogs.event_category: Event Category

type: keyword
azure.platformlogs.status: Status

type: keyword
azure.platformlogs.ccpNamespace: ccpNamespace

type: keyword
azure.platformlogs.Cloud: Cloud

type: keyword
azure.platformlogs.Environment: Environment

type: keyword
azure.platformlogs.EventTimeString: EventTimeString

type: keyword
azure.platformlogs.Caller: Caller

type: keyword
azure.platformlogs.ScaleUnit: ScaleUnit

type: keyword
azure.platformlogs.ActivityId: ActivityId

type: keyword
azure.platformlogs.identity_name: Identity name

type: keyword
azure.platformlogs.properties: Event inner properties

type: flattened

signinlogs

Fields for Azure sign-in logs.

azure.signinlogs.operation_name: The operation name

type: keyword
azure.signinlogs.operation_version: The operation version

type: keyword
azure.signinlogs.tenant_id: Tenant ID

type: keyword
azure.signinlogs.result_signature: Result signature

type: keyword
azure.signinlogs.result_description: Result description

type: keyword
azure.signinlogs.result_type: Result type

type: keyword
azure.signinlogs.identity: Identity

type: keyword
azure.signinlogs.category: Category

type: keyword
azure.signinlogs.properties.id: Unique ID representing the sign-in activity.

type: keyword
azure.signinlogs.properties.created_at: Date and time (UTC) the sign-in was initiated.

type: date
azure.signinlogs.properties.user_display_name: User display name

type: keyword
azure.signinlogs.properties.correlation_id: Correlation ID

type: keyword
azure.signinlogs.properties.user_principal_name: User principal name

type: keyword
azure.signinlogs.properties.user_id: User ID

type: keyword
azure.signinlogs.properties.app_id: App ID

type: keyword
azure.signinlogs.properties.app_display_name: App display name

type: keyword
azure.signinlogs.properties.autonomous_system_number: Autonomous system number.

type: long
azure.signinlogs.properties.client_app_used: Client app used

type: keyword
azure.signinlogs.properties.conditional_access_status: Conditional access status

type: keyword
azure.signinlogs.properties.original_request_id: Original request ID

type: keyword
azure.signinlogs.properties.is_interactive: Is interactive

type: boolean
azure.signinlogs.properties.token_issuer_name: Token issuer name

type: keyword
azure.signinlogs.properties.token_issuer_type: Token issuer type

type: keyword
azure.signinlogs.properties.processing_time_ms: Processing time in milliseconds

type: float
azure.signinlogs.properties.risk_detail: Risk detail

type: keyword
azure.signinlogs.properties.risk_level_aggregated: Risk level aggregated

type: keyword
azure.signinlogs.properties.risk_level_during_signin: Risk level during signIn

type: keyword
azure.signinlogs.properties.risk_state: Risk state

type: keyword
azure.signinlogs.properties.resource_display_name: Resource display name

type: keyword
azure.signinlogs.properties.status.error_code: Error code

type: long
azure.signinlogs.properties.device_detail.device_id: Device ID

type: keyword
azure.signinlogs.properties.device_detail.operating_system: Operating system

type: keyword
azure.signinlogs.properties.device_detail.browser: Browser

type: keyword
azure.signinlogs.properties.device_detail.display_name: Display name

type: keyword
azure.signinlogs.properties.device_detail.trust_type: Trust type

type: keyword
azure.signinlogs.properties.device_detail.is_compliant: If the device is compliant

type: boolean
azure.signinlogs.properties.device_detail.is_managed: If the device is managed

type: boolean
azure.signinlogs.properties.applied_conditional_access_policies: A list of conditional access policies that are triggered by the corresponding sign-in activity.

type: array
azure.signinlogs.properties.authentication_details: The result of the authentication attempt and additional details on the authentication method.

type: array
azure.signinlogs.properties.authentication_processing_details: Additional authentication processing details, such as the agent name in case of PTA/PHS or Server/farm name in case of federated authentication.

type: flattened
azure.signinlogs.properties.authentication_protocol: Authentication protocol type.

type: keyword
azure.signinlogs.properties.incoming_token_type: Incoming token type.

type: keyword
azure.signinlogs.properties.unique_token_identifier: Unique token identifier for the request.

type: keyword
azure.signinlogs.properties.authentication_requirement: This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.

type: keyword
azure.signinlogs.properties.authentication_requirement_policies: Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user

type: flattened
azure.signinlogs.properties.flagged_for_review: type: boolean
azure.signinlogs.properties.home_tenant_id: type: keyword
azure.signinlogs.properties.network_location_details: The network location details including the type of network used and its names.

type: array
azure.signinlogs.properties.resource_id: The identifier of the resource that the user signed in to.

type: keyword
azure.signinlogs.properties.resource_tenant_id: type: keyword
azure.signinlogs.properties.risk_event_types: The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.

type: keyword
azure.signinlogs.properties.risk_event_types_v2: The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.

type: keyword
azure.signinlogs.properties.service_principal_name: The application name used for sign-in. This field is populated when you are signing in using an application.

type: keyword
azure.signinlogs.properties.user_type: type: keyword
azure.signinlogs.properties.service_principal_id: The application identifier used for sign-in. This field is populated when you are signing in using an application.

type: keyword
azure.signinlogs.properties.cross_tenant_access_type: type: keyword
azure.signinlogs.properties.is_tenant_restricted: type: boolean
azure.signinlogs.properties.sso_extension_version: type: keyword

Barracuda Web Application Firewall fields

barracuda fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

Beat fields

Contains common beat fields available in all event types.

agent.hostname: Deprecated - use agent.name or agent.id to identify an agent.

type: alias

alias to: agent.name
beat.timezone: type: alias

alias to: event.timezone
fields: Contains user configurable fields.

type: object
beat.name: type: alias

alias to: host.name
beat.hostname: type: alias

alias to: agent.name
timeseries.instance: Time series instance id

type: keyword

Blue Coat Director fields

bluecoat fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

Decode CEF processor fields fields

Common Event Format (CEF) data.

cef

By default the decode_cef processor writes all data from the CEF message to this cef object. It contains the CEF header fields and the extension data.

cef.version: Version of the CEF specification used by the message.

type: keyword
cef.device.vendor: Vendor of the device that produced the message.

type: keyword
cef.device.product: Product of the device that produced the message.

type: keyword
cef.device.version: Version of the product that produced the message.

type: keyword
cef.device.event_class_id: Unique identifier of the event type.

type: keyword
cef.severity: Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High.

type: keyword

example: Very-High
cef.name: Short description of the event.

type: keyword

extensions

Collection of key-value pairs carried in the CEF extension field.

cef.extensions.agentAddress: The IP address of the ArcSight connector that processed the event.

type: ip
cef.extensions.agentDnsDomain: The DNS domain name of the ArcSight connector that processed the event.

type: keyword
cef.extensions.agentHostName: The hostname of the ArcSight connector that processed the event.

type: keyword
cef.extensions.agentId: The agent ID of the ArcSight connector that processed the event.

type: keyword
cef.extensions.agentMacAddress: The MAC address of the ArcSight connector that processed the event.

type: keyword
cef.extensions.agentNtDomain: None

type: keyword
cef.extensions.agentReceiptTime: The time at which information about the event was received by the ArcSight connector.

type: date
cef.extensions.agentTimeZone: The agent time zone of the ArcSight connector that processed the event.

type: keyword
cef.extensions.agentTranslatedAddress: None

type: ip
cef.extensions.agentTranslatedZoneExternalID: None

type: keyword
cef.extensions.agentTranslatedZoneURI: None

type: keyword
cef.extensions.agentType: The agent type of the ArcSight connector that processed the event

type: keyword
cef.extensions.agentVersion: The version of the ArcSight connector that processed the event.

type: keyword
cef.extensions.agentZoneExternalID: None

type: keyword
cef.extensions.agentZoneURI: None

type: keyword
cef.extensions.applicationProtocol: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on.

type: keyword
cef.extensions.baseEventCount: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1.

type: long
cef.extensions.bytesIn: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination.

type: long
cef.extensions.bytesOut: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source.

type: long
cef.extensions.customerExternalID: None

type: keyword
cef.extensions.customerURI: None

type: keyword
cef.extensions.destinationAddress: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address.

type: ip
cef.extensions.destinationDnsDomain: The DNS domain part of the complete fully qualified domain name (FQDN).

type: keyword
cef.extensions.destinationGeoLatitude: The latitudinal value from which the destination’s IP address belongs.

type: double
cef.extensions.destinationGeoLongitude: The longitudinal value from which the destination’s IP address belongs.

type: double
cef.extensions.destinationHostName: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available.

type: keyword
cef.extensions.destinationMacAddress: Six colon-seperated hexadecimal numbers.

type: keyword
cef.extensions.destinationNtDomain: The Windows domain name of the destination address.

type: keyword
cef.extensions.destinationPort: The valid port numbers are between 0 and 65535.

type: long
cef.extensions.destinationProcessId: Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID.

type: long
cef.extensions.destinationProcessName: The name of the event’s destination process.

type: keyword
cef.extensions.destinationServiceName: The service targeted by this event.

type: keyword
cef.extensions.destinationTranslatedAddress: Identifies the translated destination that the event refers to in an IP network.

type: ip
cef.extensions.destinationTranslatedPort: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535.

type: long
cef.extensions.destinationTranslatedZoneExternalID: None

type: keyword
cef.extensions.destinationTranslatedZoneURI: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.

type: keyword
cef.extensions.destinationUserId: Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0.

type: keyword
cef.extensions.destinationUserName: Identifies the destination user by name. This is the user associated with the event’s destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field.

type: keyword
cef.extensions.destinationUserPrivileges: The typical values are "Administrator", "User", and "Guest". This identifies the destination user’s privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator".

type: keyword
cef.extensions.destinationZoneExternalID: None

type: keyword
cef.extensions.destinationZoneURI: The URI for the Zone that the destination asset has been assigned to in ArcSight.

type: keyword
cef.extensions.deviceAction: Action taken by the device.

type: keyword
cef.extensions.deviceAddress: Identifies the device address that an event refers to in an IP network.

type: ip
cef.extensions.deviceCustomFloatingPoint1Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomFloatingPoint3Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomFloatingPoint4Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomDate1: One of two timestamp fields available to map fields that do not apply to any other in this dictionary.

type: date
cef.extensions.deviceCustomDate1Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomDate2: One of two timestamp fields available to map fields that do not apply to any other in this dictionary.

type: date
cef.extensions.deviceCustomDate2Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomFloatingPoint1: One of four floating point fields available to map fields that do not apply to any other in this dictionary.

type: double
cef.extensions.deviceCustomFloatingPoint2: One of four floating point fields available to map fields that do not apply to any other in this dictionary.

type: double
cef.extensions.deviceCustomFloatingPoint2Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomFloatingPoint3: One of four floating point fields available to map fields that do not apply to any other in this dictionary.

type: double
cef.extensions.deviceCustomFloatingPoint4: One of four floating point fields available to map fields that do not apply to any other in this dictionary.

type: double
cef.extensions.deviceCustomIPv6Address1: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.

type: ip
cef.extensions.deviceCustomIPv6Address1Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomIPv6Address2: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.

type: ip
cef.extensions.deviceCustomIPv6Address2Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomIPv6Address3: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.

type: ip
cef.extensions.deviceCustomIPv6Address3Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomIPv6Address4: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.

type: ip
cef.extensions.deviceCustomIPv6Address4Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomNumber1: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

type: long
cef.extensions.deviceCustomNumber1Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomNumber2: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

type: long
cef.extensions.deviceCustomNumber2Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomNumber3: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

type: long
cef.extensions.deviceCustomNumber3Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomString1: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

type: keyword
cef.extensions.deviceCustomString1Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomString2: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

type: keyword
cef.extensions.deviceCustomString2Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomString3: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

type: keyword
cef.extensions.deviceCustomString3Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomString4: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

type: keyword
cef.extensions.deviceCustomString4Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomString5: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

type: keyword
cef.extensions.deviceCustomString5Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceCustomString6: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

type: keyword
cef.extensions.deviceCustomString6Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceDirection: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound.

type: long
cef.extensions.deviceDnsDomain: The DNS domain part of the complete fully qualified domain name (FQDN).

type: keyword
cef.extensions.deviceEventCategory: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read".

type: keyword
cef.extensions.deviceExternalId: A name that uniquely identifies the device generating this event.

type: keyword
cef.extensions.deviceFacility: The facility generating this event. For example, Syslog has an explicit facility associated with every event.

type: keyword
cef.extensions.deviceFlexNumber1: One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

type: long
cef.extensions.deviceFlexNumber1Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceFlexNumber2: One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

type: long
cef.extensions.deviceFlexNumber2Label: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

type: keyword
cef.extensions.deviceHostName: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available.

type: keyword
cef.extensions.deviceInboundInterface: Interface on which the packet or data entered the device.

type: keyword
cef.extensions.deviceMacAddress: Six colon-separated hexadecimal numbers.

type: keyword
cef.extensions.deviceNtDomain: The Windows domain name of the device address.

type: keyword
cef.extensions.deviceOutboundInterface: Interface on which the packet or data left the device.

type: keyword
cef.extensions.devicePayloadId: Unique identifier for the payload associated with the event.

type: keyword
cef.extensions.deviceProcessId: Provides the ID of the process on the device generating the event.

type: long
cef.extensions.deviceProcessName: Process name associated with the event. An example might be the process generating the syslog entry in UNIX.

type: keyword
cef.extensions.deviceReceiptTime: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)

type: date
cef.extensions.deviceTimeZone: The time zone for the device generating the event.

type: keyword
cef.extensions.deviceTranslatedAddress: Identifies the translated device address that the event refers to in an IP network.

type: ip
cef.extensions.deviceTranslatedZoneExternalID: None

type: keyword
cef.extensions.deviceTranslatedZoneURI: The URI for the Translated Zone that the device asset has been assigned to in ArcSight.

type: keyword
cef.extensions.deviceZoneExternalID: None

type: keyword
cef.extensions.deviceZoneURI: Thee URI for the Zone that the device asset has been assigned to in ArcSight.

type: keyword
cef.extensions.endTime: The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session.

type: date
cef.extensions.eventId: This is a unique ID that ArcSight assigns to each event.

type: long
cef.extensions.eventOutcome: Displays the outcome, usually as 'success' or 'failure'.

type: keyword
cef.extensions.externalId: The ID used by an originating device. They are usually increasing numbers, associated with events.

type: keyword
cef.extensions.fileCreateTime: Time when the file was created.

type: date
cef.extensions.fileHash: Hash of a file.

type: keyword
cef.extensions.fileId: An ID associated with a file could be the inode.

type: keyword
cef.extensions.fileModificationTime: Time when the file was last modified.

type: date
cef.extensions.filename: Name of the file only (without its path).

type: keyword
cef.extensions.filePath: Full path to the file, including file name itself.

type: keyword
cef.extensions.filePermission: Permissions of the file.

type: keyword
cef.extensions.fileSize: Size of the file.

type: long
cef.extensions.fileType: Type of file (pipe, socket, etc.)

type: keyword
cef.extensions.flexDate1: A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.

type: date
cef.extensions.flexDate1Label: The label field is a string and describes the purpose of the flex field.

type: keyword
cef.extensions.flexString1: One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.

type: keyword
cef.extensions.flexString2: One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.

type: keyword
cef.extensions.flexString1Label: The label field is a string and describes the purpose of the flex field.

type: keyword
cef.extensions.flexString2Label: The label field is a string and describes the purpose of the flex field.

type: keyword
cef.extensions.message: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator.

type: keyword
cef.extensions.oldFileCreateTime: Time when old file was created.

type: date
cef.extensions.oldFileHash: Hash of the old file.

type: keyword
cef.extensions.oldFileId: An ID associated with the old file could be the inode.

type: keyword
cef.extensions.oldFileModificationTime: Time when old file was last modified.

type: date
cef.extensions.oldFileName: Name of the old file.

type: keyword
cef.extensions.oldFilePath: Full path to the old file, including the file name itself.

type: keyword
cef.extensions.oldFilePermission: Permissions of the old file.

type: keyword
cef.extensions.oldFileSize: Size of the old file.

type: long
cef.extensions.oldFileType: Type of the old file (pipe, socket, etc.)

type: keyword
cef.extensions.rawEvent: None

type: keyword
cef.extensions.Reason: The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234".

type: keyword
cef.extensions.requestClientApplication: The User-Agent associated with the request.

type: keyword
cef.extensions.requestContext: Description of the content from which the request originated (for example, HTTP Referrer)

type: keyword
cef.extensions.requestCookies: Cookies associated with the request.

type: keyword
cef.extensions.requestMethod: The HTTP method used to access a URL.

type: keyword
cef.extensions.requestUrl: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well.

type: keyword
cef.extensions.sourceAddress: Identifies the source that an event refers to in an IP network.

type: ip
cef.extensions.sourceDnsDomain: The DNS domain part of the complete fully qualified domain name (FQDN).

type: keyword
cef.extensions.sourceGeoLatitude: None

type: double
cef.extensions.sourceGeoLongitude: None

type: double
cef.extensions.sourceHostName: Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'.

type: keyword
cef.extensions.sourceMacAddress: Six colon-separated hexadecimal numbers.

type: keyword

example: 00:0d:60:af:1b:61
cef.extensions.sourceNtDomain: The Windows domain name for the source address.

type: keyword
cef.extensions.sourcePort: The valid port numbers are 0 to 65535.

type: long
cef.extensions.sourceProcessId: The ID of the source process associated with the event.

type: long
cef.extensions.sourceProcessName: The name of the event’s source process.

type: keyword
cef.extensions.sourceServiceName: The service that is responsible for generating this event.

type: keyword
cef.extensions.sourceTranslatedAddress: Identifies the translated source that the event refers to in an IP network.

type: ip
cef.extensions.sourceTranslatedPort: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535.

type: long
cef.extensions.sourceTranslatedZoneExternalID: None

type: keyword
cef.extensions.sourceTranslatedZoneURI: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.

type: keyword
cef.extensions.sourceUserId: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0.

type: keyword
cef.extensions.sourceUserName: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field.

type: keyword
cef.extensions.sourceUserPrivileges: The typical values are "Administrator", "User", and "Guest". It identifies the source user’s privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator".

type: keyword
cef.extensions.sourceZoneExternalID: None

type: keyword
cef.extensions.sourceZoneURI: The URI for the Zone that the source asset has been assigned to in ArcSight.

type: keyword
cef.extensions.startTime: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)

type: date
cef.extensions.transportProtocol: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP.

type: keyword
cef.extensions.type: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0).

type: long
cef.extensions.categoryDeviceType: Device type. Examples - Proxy, IDS, Web Server

type: keyword
cef.extensions.categoryObject: Object that the event is about. For example it can be an operating sytem, database, file, etc.

type: keyword
cef.extensions.categoryBehavior: Action or a behavior associated with an event. It’s what is being done to the object.

type: keyword
cef.extensions.categoryTechnique: Technique being used (e.g. /DoS).

type: keyword
cef.extensions.categoryDeviceGroup: General device group like Firewall.

type: keyword
cef.extensions.categorySignificance: Characterization of the importance of the event.

type: keyword
cef.extensions.categoryOutcome: Outcome of the event (e.g. sucess, failure, or attempt).

type: keyword
cef.extensions.managerReceiptTime: When the Arcsight ESM received the event.

type: date
source.service.name: Service that is the source of the event.

type: keyword
destination.service.name: Service that is the target of the event.

type: keyword

CEF fields

Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides.

forcepoint

Fields for Forcepoint Custom String mappings

forcepoint.virus_id: Virus ID

type: keyword

checkpoint

Fields for Check Point custom string mappings.

checkpoint.app_risk: Application risk.

type: keyword
checkpoint.app_severity: Application threat severity.

type: keyword
checkpoint.app_sig_id: The signature ID which the application was detected by.

type: keyword
checkpoint.auth_method: Password authentication protocol used.

type: keyword
checkpoint.category: Category.

type: keyword
checkpoint.confidence_level: Confidence level determined.

type: integer
checkpoint.connectivity_state: Connectivity state.

type: keyword
checkpoint.cookie: IKE cookie.

type: keyword
checkpoint.dst_phone_number: Destination IP-Phone.

type: keyword
checkpoint.email_control: Engine name.

type: keyword
checkpoint.email_id: Internal email ID.

type: keyword
checkpoint.email_recipients_num: Number of recipients.

type: long
checkpoint.email_session_id: Internal email session ID.

type: keyword
checkpoint.email_spool_id: Internal email spool ID.

type: keyword
checkpoint.email_subject: Email subject.

type: keyword
checkpoint.event_count: Number of events associated with the log.

type: long
checkpoint.frequency: Scan frequency.

type: keyword
checkpoint.icmp_type: ICMP type.

type: long
checkpoint.icmp_code: ICMP code.

type: long
checkpoint.identity_type: Identity type.

type: keyword
checkpoint.incident_extension: Format of original data.

type: keyword
checkpoint.integrity_av_invoke_type: Scan invoke type.

type: keyword
checkpoint.malware_family: Malware family.

type: keyword
checkpoint.peer_gateway: Main IP of the peer Security Gateway.

type: ip
checkpoint.performance_impact: Protection performance impact.

type: integer
checkpoint.protection_id: Protection malware ID.

type: keyword
checkpoint.protection_name: Specific signature name of the attack.

type: keyword
checkpoint.protection_type: Type of protection used to detect the attack.

type: keyword
checkpoint.scan_result: Scan result.

type: keyword
checkpoint.sensor_mode: Sensor mode.

type: keyword
checkpoint.severity: Threat severity.

type: keyword
checkpoint.spyware_name: Spyware name.

type: keyword
checkpoint.spyware_status: Spyware status.

type: keyword
checkpoint.subs_exp: The expiration date of the subscription.

type: date
checkpoint.tcp_flags: TCP packet flags.

type: keyword
checkpoint.termination_reason: Termination reason.

type: keyword
checkpoint.update_status: Update status.

type: keyword
checkpoint.user_status: User response.

type: keyword
checkpoint.uuid: External ID.

type: keyword
checkpoint.virus_name: Virus name.

type: keyword
checkpoint.voip_log_type: VoIP log types.

type: keyword

cef.extensions

Extra vendor-specific extensions.

cef.extensions.cp_app_risk: type: keyword
cef.extensions.cp_severity: type: keyword
cef.extensions.ifname: type: keyword
cef.extensions.inzone: type: keyword
cef.extensions.layer_uuid: type: keyword
cef.extensions.layer_name: type: keyword
cef.extensions.logid: type: keyword
cef.extensions.loguid: type: keyword
cef.extensions.match_id: type: keyword
cef.extensions.nat_addtnl_rulenum: type: keyword
cef.extensions.nat_rulenum: type: keyword
cef.extensions.origin: type: keyword
cef.extensions.originsicname: type: keyword
cef.extensions.outzone: type: keyword
cef.extensions.parent_rule: type: keyword
cef.extensions.product: type: keyword
cef.extensions.rule_action: type: keyword
cef.extensions.rule_uid: type: keyword
cef.extensions.sequencenum: type: keyword
cef.extensions.service_id: type: keyword
cef.extensions.version: type: keyword

Checkpoint fields

Some checkpoint module

checkpoint

Module for parsing Checkpoint syslog.

checkpoint.confidence_level: Confidence level determined by ThreatCloud.

type: integer
checkpoint.calc_desc: Log description.

type: keyword
checkpoint.dst_country: Destination country.

type: keyword
checkpoint.dst_user_name: Connected user name on the destination IP.

type: keyword
checkpoint.email_id: Email number in smtp connection.

type: keyword
checkpoint.email_subject: Original email subject.

type: keyword
checkpoint.email_session_id: Connection uuid.

type: keyword
checkpoint.event_count: Number of events associated with the log.

type: long
checkpoint.sys_message: System messages

type: keyword
checkpoint.logid: System messages

type: keyword
checkpoint.failure_impact: The impact of update service failure.

type: keyword
checkpoint.id: Override application ID.

type: integer
checkpoint.identity_src: The source for authentication identity information.

type: keyword
checkpoint.information: Policy installation status for a specific blade.

type: keyword
checkpoint.layer_name: Layer name.

type: keyword
checkpoint.layer_uuid: Layer UUID.

type: keyword
checkpoint.log_id: Unique identity for logs.

type: integer
checkpoint.malware_family: Additional information on protection.

type: keyword
checkpoint.origin_sic_name: Machine SIC.

type: keyword
checkpoint.policy_mgmt: Name of the Management Server that manages this Security Gateway.

type: keyword
checkpoint.policy_name: Name of the last policy that this Security Gateway fetched.

type: keyword
checkpoint.protection_id: Protection malware id.

type: keyword
checkpoint.protection_name: Specific signature name of the attack.

type: keyword
checkpoint.protection_type: Type of protection used to detect the attack.

type: keyword
checkpoint.protocol: Protocol detected on the connection.

type: keyword
checkpoint.proxy_src_ip: Sender source IP (even when using proxy).

type: ip
checkpoint.rule: Matched rule number.

type: integer
checkpoint.rule_action: Action of the matched rule in the access policy.

type: keyword
checkpoint.scan_direction: Scan direction.

type: keyword
checkpoint.session_id: Log uuid.

type: keyword
checkpoint.source_os: OS which generated the attack.

type: keyword
checkpoint.src_country: Country name, derived from connection source IP address.

type: keyword
checkpoint.src_user_name: User name connected to source IP

type: keyword
checkpoint.ticket_id: Unique ID per file.

type: keyword
checkpoint.tls_server_host_name: SNI/CN from encrypted TLS connection used by URLF for categorization.

type: keyword
checkpoint.verdict: TE engine verdict Possible values: Malicious/Benign/Error.

type: keyword
checkpoint.user: Source user name.

type: keyword
checkpoint.vendor_list: The vendor name that provided the verdict for a malicious URL.

type: keyword
checkpoint.web_server_type: Web server detected in the HTTP response.

type: keyword
checkpoint.client_name: Client Application or Software Blade that detected the event.

type: keyword
checkpoint.client_version: Build version of SandBlast Agent client installed on the computer.

type: keyword
checkpoint.extension_version: Build version of the SandBlast Agent browser extension.

type: keyword
checkpoint.host_time: Local time on the endpoint computer.

type: keyword
checkpoint.installed_products: List of installed Endpoint Software Blades.

type: keyword
checkpoint.cc: The Carbon Copy address of the email.

type: keyword
checkpoint.parent_process_username: Owner username of the parent process of the process that triggered the attack.

type: keyword
checkpoint.process_username: Owner username of the process that triggered the attack.

type: keyword
checkpoint.audit_status: Audit Status. Can be Success or Failure.

type: keyword
checkpoint.objecttable: Table of affected objects.

type: keyword
checkpoint.objecttype: The type of the affected object.

type: keyword
checkpoint.operation_number: The operation nuber.

type: keyword
checkpoint.email_recipients_num: Amount of recipients whom the mail was sent to.

type: integer
checkpoint.suppressed_logs: Aggregated connections for five minutes on the same source, destination and port.

type: integer
checkpoint.blade_name: Blade name.

type: keyword
checkpoint.status: Ok/Warning/Error.

type: keyword
checkpoint.short_desc: Short description of the process that was executed.

type: keyword
checkpoint.long_desc: More information on the process (usually describing error reason in failure).

type: keyword
checkpoint.scan_hosts_hour: Number of unique hosts during the last hour.

type: integer
checkpoint.scan_hosts_day: Number of unique hosts during the last day.

type: integer
checkpoint.scan_hosts_week: Number of unique hosts during the last week.

type: integer
checkpoint.unique_detected_hour: Detected virus for a specific host during the last hour.

type: integer
checkpoint.unique_detected_day: Detected virus for a specific host during the last day.

type: integer
checkpoint.unique_detected_week: Detected virus for a specific host during the last week.

type: integer
checkpoint.scan_mail: Number of emails that were scanned by "AB malicious activity" engine.

type: integer
checkpoint.additional_ip: DNS host name.

type: keyword
checkpoint.description: Additional explanation how the security gateway enforced the connection.

type: keyword
checkpoint.email_spam_category: Email categories. Possible values: spam/not spam/phishing.

type: keyword
checkpoint.email_control_analysis: Message classification, received from spam vendor engine.

type: keyword
checkpoint.scan_results: "Infected"/description of a failure.

type: keyword
checkpoint.original_queue_id: Original postfix email queue id.

type: keyword
checkpoint.risk: Risk level we got from the engine.

type: keyword
checkpoint.roles: The role of identity.

type: keyword
checkpoint.observable_name: IOC observable signature name.

type: keyword
checkpoint.observable_id: IOC observable signature id.

type: keyword
checkpoint.observable_comment: IOC observable signature description.

type: keyword
checkpoint.indicator_name: IOC indicator name.

type: keyword
checkpoint.indicator_description: IOC indicator description.

type: keyword
checkpoint.indicator_reference: IOC indicator reference.

type: keyword
checkpoint.indicator_uuid: IOC indicator uuid.

type: keyword
checkpoint.app_desc: Application description.

type: keyword
checkpoint.app_id: Application ID.

type: integer
checkpoint.app_sig_id: IOC indicator description.

type: keyword
checkpoint.certificate_resource: HTTPS resource Possible values: SNI or domain name (DN).

type: keyword
checkpoint.certificate_validation: Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature.

type: keyword
checkpoint.browse_time: Application session browse time.

type: keyword
checkpoint.limit_requested: Indicates whether data limit was requested for the session.

type: integer
checkpoint.limit_applied: Indicates whether the session was actually date limited.

type: integer
checkpoint.dropped_total: Amount of dropped packets (both incoming and outgoing).

type: integer
checkpoint.client_type_os: Client OS detected in the HTTP request.

type: keyword
checkpoint.name: Application name.

type: keyword
checkpoint.properties: Application categories.

type: keyword
checkpoint.sig_id: Application’s signature ID which how it was detected by.

type: keyword
checkpoint.desc: Override application description.

type: keyword
checkpoint.referrer_self_uid: UUID of the current log.

type: keyword
checkpoint.referrer_parent_uid: Log UUID of the referring application.

type: keyword
checkpoint.needs_browse_time: Browse time required for the connection.

type: integer
checkpoint.cluster_info: Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.

type: keyword
checkpoint.sync: Sync status and the reason (stable, at risk).

type: keyword
checkpoint.file_direction: File direction. Possible options: upload/download.

type: keyword
checkpoint.invalid_file_size: File_size field is valid only if this field is set to 0.

type: integer
checkpoint.top_archive_file_name: In case of archive file: the file that was sent/received.

type: keyword
checkpoint.data_type_name: Data type in rulebase that was matched.

type: keyword
checkpoint.specific_data_type_name: Compound/Group scenario, data type that was matched.

type: keyword
checkpoint.word_list: Words matched by data type.

type: keyword
checkpoint.info: Special log message.

type: keyword
checkpoint.outgoing_url: URL related to this log (for HTTP).

type: keyword
checkpoint.dlp_rule_name: Matched rule name.

type: keyword
checkpoint.dlp_recipients: Mail recipients.

type: keyword
checkpoint.dlp_subject: Mail subject.

type: keyword
checkpoint.dlp_word_list: Phrases matched by data type.

type: keyword
checkpoint.dlp_template_score: Template data type match score.

type: keyword
checkpoint.message_size: Mail/post size.

type: integer
checkpoint.dlp_incident_uid: Unique ID of the matched rule.

type: keyword
checkpoint.dlp_related_incident_uid: Other ID related to this one.

type: keyword
checkpoint.dlp_data_type_name: Matched data type.

type: keyword
checkpoint.dlp_data_type_uid: Unique ID of the matched data type.

type: keyword
checkpoint.dlp_violation_description: Violation descriptions described in the rulebase.

type: keyword
checkpoint.dlp_relevant_data_types: In case of Compound/Group: the inner data types that were matched.

type: keyword
checkpoint.dlp_action_reason: Action chosen reason.

type: keyword
checkpoint.dlp_categories: Data type category.

type: keyword
checkpoint.dlp_transint: HTTP/SMTP/FTP.

type: keyword
checkpoint.duplicate: Log marked as duplicated, when mail is split and the Security Gateway sees it twice.

type: keyword
checkpoint.incident_extension: Matched data type.

type: keyword
checkpoint.matched_file: Unique ID of the matched data type.

type: keyword
checkpoint.matched_file_text_segments: Fingerprint: number of text segments matched by this traffic.

type: integer
checkpoint.matched_file_percentage: Fingerprint: match percentage of the traffic.

type: integer
checkpoint.dlp_additional_action: Watermark/None.

type: keyword
checkpoint.dlp_watermark_profile: Watermark which was applied.

type: keyword
checkpoint.dlp_repository_id: ID of scanned repository.

type: keyword
checkpoint.dlp_repository_root_path: Repository path.

type: keyword
checkpoint.scan_id: Sequential number of scan.

type: keyword
checkpoint.special_properties: If this field is set to '1' the log will not be shown (in use for monitoring scan progress).

type: integer
checkpoint.dlp_repository_total_size: Repository size.

type: integer
checkpoint.dlp_repository_files_number: Number of files in repository.

type: integer
checkpoint.dlp_repository_scanned_files_number: Number of scanned files in repository.

type: integer
checkpoint.duration: Scan duration.

type: keyword
checkpoint.dlp_fingerprint_long_status: Scan status - long format.

type: keyword
checkpoint.dlp_fingerprint_short_status: Scan status - short format.

type: keyword
checkpoint.dlp_repository_directories_number: Number of directories in repository.

type: integer
checkpoint.dlp_repository_unreachable_directories_number: Number of directories the Security Gateway was unable to read.

type: integer
checkpoint.dlp_fingerprint_files_number: Number of successfully scanned files in repository.

type: integer
checkpoint.dlp_repository_skipped_files_number: Skipped number of files because of configuration.

type: integer
checkpoint.dlp_repository_scanned_directories_number: Amount of directories scanned.

type: integer
checkpoint.number_of_errors: Number of files that were not scanned due to an error.

type: integer
checkpoint.next_scheduled_scan_date: Next scan scheduled time according to time object.

type: keyword
checkpoint.dlp_repository_scanned_total_size: Size scanned.

type: integer
checkpoint.dlp_repository_reached_directories_number: Number of scanned directories in repository.

type: integer
checkpoint.dlp_repository_not_scanned_directories_percentage: Percentage of directories the Security Gateway was unable to read.

type: integer
checkpoint.speed: Current scan speed.

type: integer
checkpoint.dlp_repository_scan_progress: Scan percentage.

type: integer
checkpoint.sub_policy_name: Layer name.

type: keyword
checkpoint.sub_policy_uid: Layer uid.

type: keyword
checkpoint.fw_message: Used for various firewall errors.

type: keyword
checkpoint.message: ISP link has failed.

type: keyword
checkpoint.isp_link: Name of ISP link.

type: keyword
checkpoint.fw_subproduct: Can be vpn/non vpn.

type: keyword
checkpoint.sctp_error: Error information, what caused sctp to fail on out_of_state.

type: keyword
checkpoint.chunk_type: Chunck of the sctp stream.

type: keyword
checkpoint.sctp_association_state: The bad state you were trying to update to.

type: keyword
checkpoint.tcp_packet_out_of_state: State violation.

type: keyword
checkpoint.tcp_flags: TCP packet flags (SYN, ACK, etc.,).

type: keyword
checkpoint.connectivity_level: Log for a new connection in wire mode.

type: keyword
checkpoint.ip_option: IP option that was dropped.

type: integer
checkpoint.tcp_state: Log reinting a tcp state change.

type: keyword
checkpoint.expire_time: Connection closing time.

type: keyword
checkpoint.icmp_type: In case a connection is ICMP, type info will be added to the log.

type: integer
checkpoint.icmp_code: In case a connection is ICMP, code info will be added to the log.

type: integer
checkpoint.rpc_prog: Log for new RPC state - prog values.

type: integer
checkpoint.dce-rpc_interface_uuid: Log for new RPC state - UUID values

type: keyword
checkpoint.elapsed: Time passed since start time.

type: keyword
checkpoint.icmp: Number of packets, received by the client.

type: keyword
checkpoint.capture_uuid: UUID generated for the capture. Used when enabling the capture when logging.

type: keyword
checkpoint.diameter_app_ID: The ID of diameter application.

type: integer
checkpoint.diameter_cmd_code: Diameter not allowed application command id.

type: integer
checkpoint.diameter_msg_type: Diameter message type.

type: keyword
checkpoint.cp_message: Used to log a general message.

type: integer
checkpoint.log_delay: Time left before deleting template.

type: integer
checkpoint.attack_status: In case of a malicious event on an endpoint computer, the status of the attack.

type: keyword
checkpoint.impacted_files: In case of an infection on an endpoint computer, the list of files that the malware impacted.

type: keyword
checkpoint.remediated_files: In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.

type: keyword
checkpoint.triggered_by: The name of the mechanism that triggered the Software Blade to enforce a protection.

type: keyword
checkpoint.https_inspection_rule_id: ID of the matched rule.

type: keyword
checkpoint.https_inspection_rule_name: Name of the matched rule.

type: keyword
checkpoint.app_properties: List of all found categories.

type: keyword
checkpoint.https_validation: Precise error, describing HTTPS inspection failure.

type: keyword
checkpoint.https_inspection_action: HTTPS inspection action (Inspect/Bypass/Error).

type: keyword
checkpoint.icap_service_id: Service ID, can work with multiple servers, treated as services.

type: integer
checkpoint.icap_server_name: Server name.

type: keyword
checkpoint.internal_error: Internal error, for troubleshooting

type: keyword
checkpoint.icap_more_info: Free text for verdict.

type: integer
checkpoint.reply_status: ICAP reply status code, e.g. 200 or 204.

type: integer
checkpoint.icap_server_service: Service name, as given in the ICAP URI

type: keyword
checkpoint.mirror_and_decrypt_type: Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).

type: keyword
checkpoint.interface_name: Designated interface for mirror And decrypt.

type: keyword
checkpoint.session_uid: HTTP session-id.

type: keyword
checkpoint.broker_publisher: IP address of the broker publisher who shared the session information.

type: ip
checkpoint.src_user_dn: User distinguished name connected to source IP.

type: keyword
checkpoint.proxy_user_name: User name connected to proxy IP.

type: keyword
checkpoint.proxy_machine_name: Machine name connected to proxy IP.

type: integer
checkpoint.proxy_user_dn: User distinguished name connected to proxy IP.

type: keyword
checkpoint.query: DNS query.

type: keyword
checkpoint.dns_query: DNS query.

type: keyword
checkpoint.inspection_item: Blade element performed inspection.

type: keyword
checkpoint.performance_impact: Protection performance impact.

type: integer
checkpoint.inspection_category: Inspection category: protocol anomaly, signature etc.

type: keyword
checkpoint.inspection_profile: Profile which the activated protection belongs to.

type: keyword
checkpoint.summary: Summary message of a non-compliant DNS traffic drops or detects.

type: keyword
checkpoint.question_rdata: List of question records domains.

type: keyword
checkpoint.answer_rdata: List of answer resource records to the questioned domains.

type: keyword
checkpoint.authority_rdata: List of authoritative servers.

type: keyword
checkpoint.additional_rdata: List of additional resource records.

type: keyword
checkpoint.files_names: List of files requested by FTP.

type: keyword
checkpoint.ftp_user: FTP username.

type: keyword
checkpoint.mime_from: Sender’s address.

type: keyword
checkpoint.mime_to: List of receiver address.

type: keyword
checkpoint.bcc: List of BCC addresses.

type: keyword
checkpoint.content_type: Mail content type. Possible values: application/msword, text/html, image/gif etc.

type: keyword
checkpoint.user_agent: String identifying requesting software user agent.

type: keyword
checkpoint.referrer: Referrer HTTP request header, previous web page address.

type: keyword
checkpoint.http_location: Response header, indicates the URL to redirect a page to.

type: keyword
checkpoint.content_disposition: Indicates how the content is expected to be displayed inline in the browser.

type: keyword
checkpoint.via: Via header is added by proxies for tracking purposes to avoid sending reqests in loop.

type: keyword
checkpoint.http_server: Server HTTP header value, contains information about the software used by the origin server, which handles the request.

type: keyword
checkpoint.content_length: Indicates the size of the entity-body of the HTTP header.

type: keyword
checkpoint.authorization: Authorization HTTP header value.

type: keyword
checkpoint.http_host: Domain name of the server that the HTTP request is sent to.

type: keyword
checkpoint.inspection_settings_log: Indicats that the log was released by inspection settings.

type: keyword
checkpoint.cvpn_resource: Mobile Access application.

type: keyword
checkpoint.cvpn_category: Mobile Access application type.

type: keyword
checkpoint.url: Translated URL.

type: keyword
checkpoint.reject_id: A reject ID that corresponds to the one presented in the Mobile Access error page.

type: keyword
checkpoint.fs-proto: The file share protocol used in mobile acess file share application.

type: keyword
checkpoint.app_package: Unique identifier of the application on the protected mobile device.

type: keyword
checkpoint.appi_name: Name of application downloaded on the protected mobile device.

type: keyword
checkpoint.app_repackaged: Indicates whether the original application was repackage not by the official developer.

type: keyword
checkpoint.app_sid_id: Unique SHA identifier of a mobile application.

type: keyword
checkpoint.app_version: Version of the application downloaded on the protected mobile device.

type: keyword
checkpoint.developer_certificate_name: Name of the developer’s certificate that was used to sign the mobile application.

type: keyword
checkpoint.email_control: Engine name.

type: keyword
checkpoint.email_message_id: Email session id (uniqe ID of the mail).

type: keyword
checkpoint.email_queue_id: Postfix email queue id.

type: keyword
checkpoint.email_queue_name: Postfix email queue name.

type: keyword
checkpoint.file_name: Malicious file name.

type: keyword
checkpoint.failure_reason: MTA failure description.

type: keyword
checkpoint.email_headers: String containing all the email headers.

type: keyword
checkpoint.arrival_time: Email arrival timestamp.

type: keyword
checkpoint.email_status: Describes the email’s state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended

type: keyword
checkpoint.status_update: Last time log was updated.

type: keyword
checkpoint.delivery_time: Timestamp of when email was delivered (MTA finished handling the email.

type: keyword
checkpoint.links_num: Number of links in the mail.

type: integer
checkpoint.attachments_num: Number of attachments in the mail.

type: integer
checkpoint.email_content: Mail contents. Possible options: attachments/links & attachments/links/text only.

type: keyword
checkpoint.allocated_ports: Amount of allocated ports.

type: integer
checkpoint.capacity: Capacity of the ports.

type: integer
checkpoint.ports_usage: Percentage of allocated ports.

type: integer
checkpoint.nat_exhausted_pool: 4-tuple of an exhausted pool.

type: keyword
checkpoint.nat_rulenum: NAT rulebase first matched rule.

type: integer
checkpoint.nat_addtnl_rulenum: When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.

type: integer
checkpoint.message_info: Used for information messages, for example:NAT connection has ended.

type: keyword
checkpoint.nat46: NAT 46 status, in most cases "enabled".

type: keyword
checkpoint.end_time: TCP connection end time.

type: keyword
checkpoint.tcp_end_reason: Reason for TCP connection closure.

type: keyword
checkpoint.cgnet: Describes NAT allocation for specific subscriber.

type: keyword
checkpoint.subscriber: Source IP before CGNAT.

type: ip
checkpoint.hide_ip: Source IP which will be used after CGNAT.

type: ip
checkpoint.int_start: Subscriber start int which will be used for NAT.

type: integer
checkpoint.int_end: Subscriber end int which will be used for NAT.

type: integer
checkpoint.packet_amount: Amount of packets dropped.

type: integer
checkpoint.monitor_reason: Aggregated logs of monitored packets.

type: keyword
checkpoint.drops_amount: Amount of multicast packets dropped.

type: integer
checkpoint.securexl_message: Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.

type: keyword
checkpoint.conns_amount: Connections amount of aggregated log info.

type: integer
checkpoint.scope: IP related to the attack.

type: keyword
checkpoint.analyzed_on: Check Point ThreatCloud / emulator name.

type: keyword
checkpoint.detected_on: System and applications version the file was emulated on.

type: keyword
checkpoint.dropped_file_name: List of names dropped from the original file.

type: keyword
checkpoint.dropped_file_type: List of file types dropped from the original file.

type: keyword
checkpoint.dropped_file_hash: List of file hashes dropped from the original file.

type: keyword
checkpoint.dropped_file_verdict: List of file verdics dropped from the original file.

type: keyword
checkpoint.emulated_on: Images the files were emulated on.

type: keyword
checkpoint.extracted_file_type: Types of extracted files in case of an archive.

type: keyword
checkpoint.extracted_file_names: Names of extracted files in case of an archive.

type: keyword
checkpoint.extracted_file_hash: Archive hash in case of extracted files.

type: keyword
checkpoint.extracted_file_verdict: Verdict of extracted files in case of an archive.

type: keyword
checkpoint.extracted_file_uid: UID of extracted files in case of an archive.

type: keyword
checkpoint.mitre_initial_access: The adversary is trying to break into your network.

type: keyword
checkpoint.mitre_execution: The adversary is trying to run malicious code.

type: keyword
checkpoint.mitre_persistence: The adversary is trying to maintain his foothold.

type: keyword
checkpoint.mitre_privilege_escalation: The adversary is trying to gain higher-level permissions.

type: keyword
checkpoint.mitre_defense_evasion: The adversary is trying to avoid being detected.

type: keyword
checkpoint.mitre_credential_access: The adversary is trying to steal account names and passwords.

type: keyword
checkpoint.mitre_discovery: The adversary is trying to expose information about your environment.

type: keyword
checkpoint.mitre_lateral_movement: The adversary is trying to explore your environment.

type: keyword
checkpoint.mitre_collection: The adversary is trying to collect data of interest to achieve his goal.

type: keyword
checkpoint.mitre_command_and_control: The adversary is trying to communicate with compromised systems in order to control them.

type: keyword
checkpoint.mitre_exfiltration: The adversary is trying to steal data.

type: keyword
checkpoint.mitre_impact: The adversary is trying to manipulate, interrupt, or destroy your systems and data.

type: keyword
checkpoint.parent_file_hash: Archive’s hash in case of extracted files.

type: keyword
checkpoint.parent_file_name: Archive’s name in case of extracted files.

type: keyword
checkpoint.parent_file_uid: Archive’s UID in case of extracted files.

type: keyword
checkpoint.similiar_iocs: Other IoCs similar to the ones found, related to the malicious file.

type: keyword
checkpoint.similar_hashes: Hashes found similar to the malicious file.

type: keyword
checkpoint.similar_strings: Strings found similar to the malicious file.

type: keyword
checkpoint.similar_communication: Network action found similar to the malicious file.

type: keyword
checkpoint.te_verdict_determined_by: Emulators determined file verdict.

type: keyword
checkpoint.packet_capture_unique_id: Identifier of the packet capture files.

type: keyword
checkpoint.total_attachments: The number of attachments in an email.

type: integer
checkpoint.additional_info: ID of original file/mail which are sent by admin.

type: keyword
checkpoint.content_risk: File risk.

type: integer
checkpoint.operation: Operation made by Threat Extraction.

type: keyword
checkpoint.scrubbed_content: Active content that was found.

type: keyword
checkpoint.scrub_time: Extraction process duration.

type: keyword
checkpoint.scrub_download_time: File download time from resource.

type: keyword
checkpoint.scrub_total_time: Threat extraction total file handling time.

type: keyword
checkpoint.scrub_activity: The result of the extraction

type: keyword
checkpoint.watermark: Reports whether watermark is added to the cleaned file.

type: keyword
checkpoint.snid: The Check Point session ID.

type: keyword
checkpoint.source_object: Matched object name on source column.

type: keyword
checkpoint.destination_object: Matched object name on destination column.

type: keyword
checkpoint.drop_reason: Drop reason description.

type: keyword
checkpoint.hit: Number of hits on a rule.

type: integer
checkpoint.rulebase_id: Layer number.

type: integer
checkpoint.first_hit_time: First hit time in current interval.

type: integer
checkpoint.last_hit_time: Last hit time in current interval.

type: integer
checkpoint.rematch_info: Information sent when old connections cannot be matched during policy installation.

type: keyword
checkpoint.last_rematch_time: Connection rematched time.

type: keyword
checkpoint.action_reason: Connection drop reason.

type: integer
checkpoint.action_reason_msg: Connection drop reason message.

type: keyword
checkpoint.c_bytes: Boolean value indicates whether bytes sent from the client side are used.

type: integer
checkpoint.context_num: Serial number of the log for a specific connection.

type: integer
checkpoint.match_id: Private key of the rule

type: integer
checkpoint.alert: Alert level of matched rule (for connection logs).

type: keyword
checkpoint.parent_rule: Parent rule number, in case of inline layer.

type: integer
checkpoint.match_fk: Rule number.

type: integer
checkpoint.dropped_outgoing: Number of outgoing bytes dropped when using UP-limit feature.

type: integer
checkpoint.dropped_incoming: Number of incoming bytes dropped when using UP-limit feature.

type: integer
checkpoint.media_type: Media used (audio, video, etc.)

type: keyword
checkpoint.sip_reason: Explains why 'source_ip' isn’t allowed to redirect (handover).

type: keyword
checkpoint.voip_method: Registration request.

type: keyword
checkpoint.registered_ip-phones: Registered IP-Phones.

type: keyword
checkpoint.voip_reg_user_type: Registered IP-Phone type.

type: keyword
checkpoint.voip_call_id: Call-ID.

type: keyword
checkpoint.voip_reg_int: Registration port.

type: integer
checkpoint.voip_reg_ipp: Registration IP protocol.

type: integer
checkpoint.voip_reg_period: Registration period.

type: integer
checkpoint.voip_log_type: VoIP log types. Possible values: reject, call, registration.

type: keyword
checkpoint.src_phone_number: Source IP-Phone.

type: keyword
checkpoint.voip_from_user_type: Source IP-Phone type.

type: keyword
checkpoint.dst_phone_number: Destination IP-Phone.

type: keyword
checkpoint.voip_to_user_type: Destination IP-Phone type.

type: keyword
checkpoint.voip_call_dir: Call direction: in/out.

type: keyword
checkpoint.voip_call_state: Call state. Possible values: in/out.

type: keyword
checkpoint.voip_call_term_time: Call termination time stamp.

type: keyword
checkpoint.voip_duration: Call duration (seconds).

type: keyword
checkpoint.voip_media_port: Media int.

type: keyword
checkpoint.voip_media_ipp: Media IP protocol.

type: keyword
checkpoint.voip_est_codec: Estimated codec.

type: keyword
checkpoint.voip_exp: Expiration.

type: integer
checkpoint.voip_attach_sz: Attachment size.

type: integer
checkpoint.voip_attach_action_info: Attachment action Info.

type: keyword
checkpoint.voip_media_codec: Estimated codec.

type: keyword
checkpoint.voip_reject_reason: Reject reason.

type: keyword
checkpoint.voip_reason_info: Information.

type: keyword
checkpoint.voip_config: Configuration.

type: keyword
checkpoint.voip_reg_server: Registrar server IP address.

type: ip
checkpoint.scv_user: Username whose packets are dropped on SCV.

type: keyword
checkpoint.scv_message_info: Drop reason.

type: keyword
checkpoint.ppp: Authentication status.

type: keyword
checkpoint.scheme: Describes the scheme used for the log.

type: keyword
checkpoint.auth_method: Password authentication protocol used (PAP or EAP).

type: keyword
checkpoint.auth_status: The authentication status for an event.

type: keyword
checkpoint.machine: L2TP machine which triggered the log and the log refers to it.

type: keyword
checkpoint.vpn_feature_name: L2TP /IKE / Link Selection.

type: keyword
checkpoint.reject_category: Authentication failure reason.

type: keyword
checkpoint.peer_ip_probing_status_update: IP address response status.

type: keyword
checkpoint.peer_ip: IP address which the client connects to.

type: keyword
checkpoint.peer_gateway: Main IP of the peer Security Gateway.

type: ip
checkpoint.link_probing_status_update: IP address response status.

type: keyword
checkpoint.source_interface: External Interface name for source interface or Null if not found.

type: keyword
checkpoint.next_hop_ip: Next hop IP address.

type: keyword
checkpoint.srckeyid: Initiator Spi ID.

type: keyword
checkpoint.dstkeyid: Responder Spi ID.

type: keyword
checkpoint.encryption_failure: Message indicating why the encryption failed.

type: keyword
checkpoint.ike_ids: All QM ids.

type: keyword
checkpoint.community: Community name for the IPSec key and the use of the IKEv.

type: keyword
checkpoint.ike: IKEMode (PHASE1, PHASE2, etc..).

type: keyword
checkpoint.cookieI: Initiator cookie.

type: keyword
checkpoint.cookieR: Responder cookie.

type: keyword
checkpoint.msgid: Message ID.

type: keyword
checkpoint.methods: IPSEc methods.

type: keyword
checkpoint.connection_uid: Calculation of md5 of the IP and user name as UID.

type: keyword
checkpoint.site_name: Site name.

type: keyword
checkpoint.esod_rule_name: Unknown rule name.

type: keyword
checkpoint.esod_rule_action: Unknown rule action.

type: keyword
checkpoint.esod_rule_type: Unknown rule type.

type: keyword
checkpoint.esod_noncompliance_reason: Non-compliance reason.

type: keyword
checkpoint.esod_associated_policies: Associated policies.

type: keyword
checkpoint.spyware_name: Spyware name.

type: keyword
checkpoint.spyware_type: Spyware type.

type: keyword
checkpoint.anti_virus_type: Anti virus type.

type: keyword
checkpoint.end_user_firewall_type: End user firewall type.

type: keyword
checkpoint.esod_scan_status: Scan failed.

type: keyword
checkpoint.esod_access_status: Access denied.

type: keyword
checkpoint.client_type: Endpoint Connect.

type: keyword
checkpoint.precise_error: HTTP parser error.

type: keyword
checkpoint.method: HTTP method.

type: keyword
checkpoint.trusted_domain: In case of phishing event, the domain, which the attacker was impersonating.

type: keyword
checkpoint.comment: type: keyword
checkpoint.conn_direction: Connection direction

type: keyword
checkpoint.db_ver: Database version

type: keyword
checkpoint.update_status: Status of database update

type: keyword

Cisco fields

Module for handling Cisco network device logs.

cisco.amp

Module for parsing Cisco AMP logs.

cisco.amp.timestamp_nanoseconds: The timestamp in Epoch nanoseconds.

type: date
cisco.amp.event_type_id: A sub ID of the event, depending on event type.

type: keyword
cisco.amp.detection: The name of the malware detected.

type: keyword
cisco.amp.detection_id: The ID of the detection.

type: keyword
cisco.amp.connector_guid: The GUID of the connector sending information to AMP.

type: keyword
cisco.amp.group_guids: An array of group GUIDS related to the connector sending information to AMP.

type: keyword
cisco.amp.vulnerabilities: An array of related vulnerabilities to the malicious event.

type: flattened
cisco.amp.scan.description: Description of an event related to a scan being initiated, for example the specific directory name.

type: keyword
cisco.amp.scan.clean: Boolean value if a scanned file was clean or not.

type: boolean
cisco.amp.scan.scanned_files: Count of files scanned in a directory.

type: long
cisco.amp.scan.scanned_processes: Count of processes scanned related to a single scan event.

type: long
cisco.amp.scan.scanned_paths: Count of different directories scanned related to a single scan event.

type: long
cisco.amp.scan.malicious_detections: Count of malicious files or documents detected related to a single scan event.

type: long
cisco.amp.computer.connector_guid: The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved.

type: keyword
cisco.amp.computer.external_ip: The external IP of the related host.

type: ip
cisco.amp.computer.active: If the current endpoint is active or not.

type: boolean
cisco.amp.computer.network_addresses: All network interface information on the related host.

type: flattened
cisco.amp.file.disposition: Categorization of file, for example "Malicious" or "Clean".

type: keyword
cisco.amp.network_info.disposition: Categorization of a network event related to a file, for example "Malicious" or "Clean".

type: keyword
cisco.amp.network_info.nfm.direction: The current direction based on source and destination IP.

type: keyword
cisco.amp.related.mac: An array of all related MAC addresses.

type: keyword
cisco.amp.related.cve: An array of all related MAC addresses.

type: keyword
cisco.amp.cloud_ioc.description: Description of the related IOC for specific IOC events from AMP.

type: keyword
cisco.amp.cloud_ioc.short_description: Short description of the related IOC for specific IOC events from AMP.

type: keyword
cisco.amp.network_info.parent.disposition: Categorization of a IOC for example "Malicious" or "Clean".

type: keyword
cisco.amp.network_info.parent.identity.md5: MD5 hash of the related IOC.

type: keyword
cisco.amp.network_info.parent.identity.sha1: SHA1 hash of the related IOC.

type: keyword
cisco.amp.network_info.parent.identify.sha256: SHA256 hash of the related IOC.

type: keyword
cisco.amp.file.archived_file.disposition: Categorization of a file archive related to a file, for example "Malicious" or "Clean".

type: keyword
cisco.amp.file.archived_file.identity.md5: MD5 hash of the archived file related to the malicious event.

type: keyword
cisco.amp.file.archived_file.identity.sha1: SHA1 hash of the archived file related to the malicious event.

type: keyword
cisco.amp.file.archived_file.identity.sha256: SHA256 hash of the archived file related to the malicious event.

type: keyword
cisco.amp.file.attack_details.application: The application name related to Exploit Prevention events.

type: keyword
cisco.amp.file.attack_details.attacked_module: Path to the executable or dll that was attacked and detected by Exploit Prevention.

type: keyword
cisco.amp.file.attack_details.base_address: The base memory address related to the exploit detected.

type: keyword
cisco.amp.file.attack_details.suspicious_files: An array of related files when an attack is detected by Exploit Prevention.

type: keyword
cisco.amp.file.parent.disposition: Categorization of parrent, for example "Malicious" or "Clean".

type: keyword
cisco.amp.error.description: Description of an endpoint error event.

type: keyword
cisco.amp.error.error_code: The error code describing the related error event.

type: keyword
cisco.amp.threat_hunting.severity: Severity result of the threat hunt registered to the malicious event. Can be Low-Critical.

type: keyword
cisco.amp.threat_hunting.incident_report_guid: The GUID of the related threat hunting report.

type: keyword
cisco.amp.threat_hunting.incident_hunt_guid: The GUID of the related investigation tracking issue.

type: keyword
cisco.amp.threat_hunting.incident_title: Title of the incident related to the threat hunting activity.

type: keyword
cisco.amp.threat_hunting.incident_summary: Summary of the outcome on the threat hunting activity.

type: keyword
cisco.amp.threat_hunting.incident_remediation: Recommendations to resolve the vulnerability or exploited host.

type: keyword
cisco.amp.threat_hunting.incident_id: The id of the related incident for the threat hunting activity.

type: keyword
cisco.amp.threat_hunting.incident_end_time: When the threat hunt finalized or closed.

type: date
cisco.amp.threat_hunting.incident_start_time: When the threat hunt was initiated.

type: date
cisco.amp.file.attack_details.indicators: Different indicator types that matches the exploit detected, for example different MITRE tactics.

type: flattened
cisco.amp.threat_hunting.tactics: List of all MITRE tactics related to the incident found.

type: flattened
cisco.amp.threat_hunting.techniques: List of all MITRE techniques related to the incident found.

type: flattened
cisco.amp.tactics: List of all MITRE tactics related to the incident found.

type: flattened
cisco.amp.mitre_tactics: Array of all related mitre tactic ID’s

type: keyword
cisco.amp.techniques: List of all MITRE techniques related to the incident found.

type: flattened
cisco.amp.mitre_techniques: Array of all related mitre technique ID’s

type: keyword
cisco.amp.command_line.arguments: The CLI arguments related to the Cloud Threat IOC reported by Cisco.

type: keyword
cisco.amp.bp_data: Endpoint isolation information

type: flattened

cisco.asa

Fields for Cisco ASA Firewall.

cisco.asa.message_id: The Cisco ASA message identifier.

type: keyword
cisco.asa.suffix: Optional suffix after %ASA identifier.

type: keyword

example: session
cisco.asa.source_interface: Source interface for the flow or event.

type: keyword
cisco.asa.destination_interface: Destination interface for the flow or event.

type: keyword
cisco.asa.rule_name: Name of the Access Control List rule that matched this event.

type: keyword
cisco.asa.source_username: Name of the user that is the source for this event.

type: keyword
cisco.asa.source_user_security_group_tag: The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.

type: long
cisco.asa.destination_username: Name of the user that is the destination for this event.

type: keyword
cisco.asa.destination_user_security_group_tag: The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.

type: long
cisco.asa.mapped_source_ip: The translated source IP address.

type: ip
cisco.asa.mapped_source_host: The translated source host.

type: keyword
cisco.asa.mapped_source_port: The translated source port.

type: long
cisco.asa.mapped_destination_ip: The translated destination IP address.

type: ip
cisco.asa.mapped_destination_host: The translated destination host.

type: keyword
cisco.asa.mapped_destination_port: The translated destination port.

type: long
cisco.asa.threat_level: Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.

type: keyword
cisco.asa.threat_category: Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.

type: keyword
cisco.asa.connection_id: Unique identifier for a flow.

type: keyword
cisco.asa.icmp_type: ICMP type.

type: short
cisco.asa.icmp_code: ICMP code.

type: short
cisco.asa.connection_type: The VPN connection type

type: keyword
cisco.asa.dap_records: The assigned DAP records

type: keyword
cisco.asa.command_line_arguments: The command line arguments logged by the local audit log

type: keyword
cisco.asa.assigned_ip: The IP address assigned to a VPN client successfully connecting

type: ip
cisco.asa.privilege.old: When a users privilege is changed this is the old value

type: keyword
cisco.asa.privilege.new: When a users privilege is changed this is the new value

type: keyword
cisco.asa.burst.object: The related object for burst warnings

type: keyword
cisco.asa.burst.id: The related rate ID for burst warnings

type: keyword
cisco.asa.burst.current_rate: The current burst rate seen

type: keyword
cisco.asa.burst.configured_rate: The current configured burst rate

type: keyword
cisco.asa.burst.avg_rate: The current average burst rate seen

type: keyword
cisco.asa.burst.configured_avg_rate: The current configured average burst rate allowed

type: keyword
cisco.asa.burst.cumulative_count: The total count of burst rate hits since the object was created or cleared

type: keyword
cisco.asa.termination_user: AAA name of user requesting termination

type: keyword
cisco.asa.webvpn.group_name: The WebVPN group name the user belongs to

type: keyword
cisco.asa.termination_initiator: Interface name of the side that initiated the teardown

type: keyword
cisco.asa.tunnel_type: SA type (remote access or L2L)

type: keyword
cisco.asa.session_type: Session type (for example, IPsec or UDP)

type: keyword

cisco.ftd

Fields for Cisco Firepower Threat Defense Firewall.

cisco.ftd.message_id: The Cisco FTD message identifier.

type: keyword
cisco.ftd.suffix: Optional suffix after %FTD identifier.

type: keyword

example: session
cisco.ftd.source_interface: Source interface for the flow or event.

type: keyword
cisco.ftd.destination_interface: Destination interface for the flow or event.

type: keyword
cisco.ftd.rule_name: Name of the Access Control List rule that matched this event.

type: keyword
cisco.ftd.source_username: Name of the user that is the source for this event.

type: keyword
cisco.ftd.destination_username: Name of the user that is the destination for this event.

type: keyword
cisco.ftd.mapped_source_ip: The translated source IP address. Use ECS source.nat.ip.

type: ip
cisco.ftd.mapped_source_host: The translated source host.

type: keyword
cisco.ftd.mapped_source_port: The translated source port. Use ECS source.nat.port.

type: long
cisco.ftd.mapped_destination_ip: The translated destination IP address. Use ECS destination.nat.ip.

type: ip
cisco.ftd.mapped_destination_host: The translated destination host.

type: keyword
cisco.ftd.mapped_destination_port: The translated destination port. Use ECS destination.nat.port.

type: long
cisco.ftd.threat_level: Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.

type: keyword
cisco.ftd.threat_category: Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.

type: keyword
cisco.ftd.connection_id: Unique identifier for a flow.

type: keyword
cisco.ftd.icmp_type: ICMP type.

type: short
cisco.ftd.icmp_code: ICMP code.

type: short
cisco.ftd.security: Raw fields for Security Events.

type: object
cisco.ftd.connection_type: The VPN connection type

type: keyword
cisco.ftd.dap_records: The assigned DAP records

type: keyword
cisco.ftd.termination_user: AAA name of user requesting termination

type: keyword
cisco.ftd.webvpn.group_name: The WebVPN group name the user belongs to

type: keyword
cisco.ftd.termination_initiator: Interface name of the side that initiated the teardown

type: keyword

cisco.ios

Fields for Cisco IOS logs.

cisco.ios.access_list: Name of the IP access list.

type: keyword
cisco.ios.facility: The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.

type: keyword

example: SEC
network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

cisco.umbrella

Fields for Cisco Umbrella.

cisco.umbrella.identities: An array of the different identities related to the event.

type: keyword
cisco.umbrella.categories: The security or content categories that the destination matches.

type: keyword
cisco.umbrella.policy_identity_type: The first identity type matched with this request. Available in version 3 and above.

type: keyword
cisco.umbrella.identity_types: The type of identity that made the request. For example, Roaming Computer or Network.

type: keyword
cisco.umbrella.blocked_categories: The categories that resulted in the destination being blocked. Available in version 4 and above.

type: keyword
cisco.umbrella.content_type: The type of web content, typically text/html.

type: keyword
cisco.umbrella.sha_sha256: Hex digest of the response content.

type: keyword
cisco.umbrella.av_detections: The detection name according to the antivirus engine used in file inspection.

type: keyword
cisco.umbrella.puas: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.

type: keyword
cisco.umbrella.amp_disposition: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.

type: keyword
cisco.umbrella.amp_malware_name: If Malicious, the name of the malware according to AMP.

type: keyword
cisco.umbrella.amp_score: The score of the malware from AMP. This field is not currently used and will be blank.

type: keyword
cisco.umbrella.datacenter: The name of the Umbrella Data Center that processed the user-generated traffic.

type: keyword
cisco.umbrella.origin_id: The unique identity of the network tunnel.

type: keyword

Cloud provider metadata fields

Metadata from cloud providers added by the add_cloud_metadata processor.

cloud.image.id: Image ID for the cloud instance.

example: ami-abcd1234
meta.cloud.provider: type: alias

alias to: cloud.provider
meta.cloud.instance_id: type: alias

alias to: cloud.instance.id
meta.cloud.instance_name: type: alias

alias to: cloud.instance.name
meta.cloud.machine_type: type: alias

alias to: cloud.machine.type
meta.cloud.availability_zone: type: alias

alias to: cloud.availability_zone
meta.cloud.project_id: type: alias

alias to: cloud.project.id
meta.cloud.region: type: alias

alias to: cloud.region

Coredns fields

Module for handling logs produced by coredns

coredns

coredns fields after normalization

coredns.query.size: size of the DNS query

type: integer

format: bytes
coredns.response.size: size of the DNS response

type: integer

format: bytes

Crowdstrike fields

Module for collecting Crowdstrike events.

crowdstrike

Fields for Crowdstrike Falcon event and alert data.

metadata

Meta data fields for each event that include type and timestamp.

crowdstrike.metadata.eventType: DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent

type: keyword
crowdstrike.metadata.eventCreationTime: The time this event occurred on the endpoint in UTC UNIX_MS format.

type: date
crowdstrike.metadata.offset: Offset number that tracks the location of the event in stream. This is used to identify unique detection events.

type: integer
crowdstrike.metadata.customerIDString: Customer identifier

type: keyword
crowdstrike.metadata.version: Schema version

type: keyword

event

Event data fields for each event and alert.

crowdstrike.event.ProcessStartTime: The process start time in UTC UNIX_MS format.

type: date
crowdstrike.event.ProcessEndTime: The process termination time in UTC UNIX_MS format.

type: date
crowdstrike.event.ProcessId: Process ID related to the detection.

type: integer
crowdstrike.event.ParentProcessId: Parent process ID related to the detection.

type: integer
crowdstrike.event.ComputerName: Name of the computer where the detection occurred.

type: keyword
crowdstrike.event.UserName: User name associated with the detection.

type: keyword
crowdstrike.event.DetectName: Name of the detection.

type: keyword
crowdstrike.event.DetectDescription: Description of the detection.

type: keyword
crowdstrike.event.Severity: Severity score of the detection.

type: integer
crowdstrike.event.SeverityName: Severity score text.

type: keyword
crowdstrike.event.FileName: File name of the associated process for the detection.

type: keyword
crowdstrike.event.FilePath: Path of the executable associated with the detection.

type: keyword
crowdstrike.event.CommandLine: Executable path with command line arguments.

type: keyword
crowdstrike.event.SHA1String: SHA1 sum of the executable associated with the detection.

type: keyword
crowdstrike.event.SHA256String: SHA256 sum of the executable associated with the detection.

type: keyword
crowdstrike.event.MD5String: MD5 sum of the executable associated with the detection.

type: keyword
crowdstrike.event.MachineDomain: Domain for the machine associated with the detection.

type: keyword
crowdstrike.event.FalconHostLink: URL to view the detection in Falcon.

type: keyword
crowdstrike.event.SensorId: Unique ID associated with the Falcon sensor.

type: keyword
crowdstrike.event.DetectId: Unique ID associated with the detection.

type: keyword
crowdstrike.event.LocalIP: IP address of the host associated with the detection.

type: keyword
crowdstrike.event.MACAddress: MAC address of the host associated with the detection.

type: keyword
crowdstrike.event.Tactic: MITRE tactic category of the detection.

type: keyword
crowdstrike.event.Technique: MITRE technique category of the detection.

type: keyword
crowdstrike.event.Objective: Method of detection.

type: keyword
crowdstrike.event.PatternDispositionDescription: Action taken by Falcon.

type: keyword
crowdstrike.event.PatternDispositionValue: Unique ID associated with action taken.

type: integer
crowdstrike.event.PatternDispositionFlags: Flags indicating actions taken.

type: object
crowdstrike.event.State: Whether the incident summary is open and ongoing or closed.

type: keyword
crowdstrike.event.IncidentStartTime: Start time for the incident in UTC UNIX format.

type: date
crowdstrike.event.IncidentEndTime: End time for the incident in UTC UNIX format.

type: date
crowdstrike.event.FineScore: Score for incident.

type: float
crowdstrike.event.UserId: Email address or user ID associated with the event.

type: keyword
crowdstrike.event.UserIp: IP address associated with the user.

type: keyword
crowdstrike.event.OperationName: Event subtype.

type: keyword
crowdstrike.event.ServiceName: Service associated with this event.

type: keyword
crowdstrike.event.Success: Indicator of whether or not this event was successful.

type: boolean
crowdstrike.event.UTCTimestamp: Timestamp associated with this event in UTC UNIX format.

type: date
crowdstrike.event.AuditKeyValues: Fields that were changed in this event.

type: nested
crowdstrike.event.ExecutablesWritten: Detected executables written to disk by a process.

type: nested
crowdstrike.event.SessionId: Session ID of the remote response session.

type: keyword
crowdstrike.event.HostnameField: Host name of the machine for the remote session.

type: keyword
crowdstrike.event.StartTimestamp: Start time for the remote session in UTC UNIX format.

type: date
crowdstrike.event.EndTimestamp: End time for the remote session in UTC UNIX format.

type: date
crowdstrike.event.LateralMovement: Lateral movement field for incident.

type: long
crowdstrike.event.ParentImageFileName: Path to the parent process.

type: keyword
crowdstrike.event.ParentCommandLine: Parent process command line arguments.

type: keyword
crowdstrike.event.GrandparentImageFileName: Path to the grandparent process.

type: keyword
crowdstrike.event.GrandparentCommandLine: Grandparent process command line arguments.

type: keyword
crowdstrike.event.IOCType: CrowdStrike type for indicator of compromise.

type: keyword
crowdstrike.event.IOCValue: CrowdStrike value for indicator of compromise.

type: keyword
crowdstrike.event.CustomerId: Customer identifier.

type: keyword
crowdstrike.event.DeviceId: Device on which the event occurred.

type: keyword
crowdstrike.event.Ipv: Protocol for network request.

type: keyword
crowdstrike.event.ConnectionDirection: Direction for network connection.

type: keyword
crowdstrike.event.EventType: CrowdStrike provided event type.

type: keyword
crowdstrike.event.HostName: Host name of the local machine.

type: keyword
crowdstrike.event.ICMPCode: RFC2780 ICMP Code field.

type: keyword
crowdstrike.event.ICMPType: RFC2780 ICMP Type field.

type: keyword
crowdstrike.event.ImageFileName: File name of the associated process for the detection.

type: keyword
crowdstrike.event.PID: Associated process id for the detection.

type: long
crowdstrike.event.LocalAddress: IP address of local machine.

type: ip
crowdstrike.event.LocalPort: Port of local machine.

type: long
crowdstrike.event.RemoteAddress: IP address of remote machine.

type: ip
crowdstrike.event.RemotePort: Port of remote machine.

type: long
crowdstrike.event.RuleAction: Firewall rule action.

type: keyword
crowdstrike.event.RuleDescription: Firewall rule description.

type: keyword
crowdstrike.event.RuleFamilyID: Firewall rule family id.

type: keyword
crowdstrike.event.RuleGroupName: Firewall rule group name.

type: keyword
crowdstrike.event.RuleName: Firewall rule name.

type: keyword
crowdstrike.event.RuleId: Firewall rule id.

type: keyword
crowdstrike.event.MatchCount: Number of firewall rule matches.

type: long
crowdstrike.event.MatchCountSinceLastReport: Number of firewall rule matches since the last report.

type: long
crowdstrike.event.Timestamp: Firewall rule triggered timestamp.

type: date
crowdstrike.event.Flags.Audit: CrowdStrike audit flag.

type: boolean
crowdstrike.event.Flags.Log: CrowdStrike log flag.

type: boolean
crowdstrike.event.Flags.Monitor: CrowdStrike monitor flag.

type: boolean
crowdstrike.event.Protocol: CrowdStrike provided protocol.

type: keyword
crowdstrike.event.NetworkProfile: CrowdStrike network profile.

type: keyword
crowdstrike.event.PolicyName: CrowdStrike policy name.

type: keyword
crowdstrike.event.PolicyID: CrowdStrike policy id.

type: keyword
crowdstrike.event.Status: CrowdStrike status.

type: keyword
crowdstrike.event.TreeID: CrowdStrike tree id.

type: keyword
crowdstrike.event.Commands: Commands run in a remote session.

type: keyword

CyberArk PAS fields

cyberarkpas fields.

audit

Cyberark Privileged Access Security Audit fields.

cyberarkpas.audit.action: A description of the audit record.

type: keyword

ca_properties

Account metadata.

cyberarkpas.audit.ca_properties.address: type: keyword
cyberarkpas.audit.ca_properties.cpm_disabled: type: keyword
cyberarkpas.audit.ca_properties.cpm_error_details: type: keyword
cyberarkpas.audit.ca_properties.cpm_status: type: keyword
cyberarkpas.audit.ca_properties.creation_method: type: keyword
cyberarkpas.audit.ca_properties.customer: type: keyword
cyberarkpas.audit.ca_properties.database: type: keyword
cyberarkpas.audit.ca_properties.device_type: type: keyword
cyberarkpas.audit.ca_properties.dual_account_status: type: keyword
cyberarkpas.audit.ca_properties.group_name: type: keyword
cyberarkpas.audit.ca_properties.in_process: type: keyword
cyberarkpas.audit.ca_properties.index: type: keyword
cyberarkpas.audit.ca_properties.last_fail_date: type: keyword
cyberarkpas.audit.ca_properties.last_success_change: type: keyword
cyberarkpas.audit.ca_properties.last_success_reconciliation: type: keyword
cyberarkpas.audit.ca_properties.last_success_verification: type: keyword
cyberarkpas.audit.ca_properties.last_task: type: keyword
cyberarkpas.audit.ca_properties.logon_domain: type: keyword
cyberarkpas.audit.ca_properties.policy_id: type: keyword
cyberarkpas.audit.ca_properties.port: type: keyword
cyberarkpas.audit.ca_properties.privcloud: type: keyword
cyberarkpas.audit.ca_properties.reset_immediately: type: keyword
cyberarkpas.audit.ca_properties.retries_count: type: keyword
cyberarkpas.audit.ca_properties.sequence_id: type: keyword
cyberarkpas.audit.ca_properties.tags: type: keyword
cyberarkpas.audit.ca_properties.user_dn: type: keyword
cyberarkpas.audit.ca_properties.user_name: type: keyword
cyberarkpas.audit.ca_properties.virtual_username: type: keyword
cyberarkpas.audit.ca_properties.other: type: flattened
cyberarkpas.audit.category: The category name (for category-related operations).

type: keyword
cyberarkpas.audit.desc: A static value that displays a description of the audit codes.

type: keyword

extra_details

Specific extra details of the audit records.

cyberarkpas.audit.extra_details.ad_process_id: type: keyword
cyberarkpas.audit.extra_details.ad_process_name: type: keyword
cyberarkpas.audit.extra_details.application_type: type: keyword
cyberarkpas.audit.extra_details.command: type: keyword
cyberarkpas.audit.extra_details.connection_component_id: type: keyword
cyberarkpas.audit.extra_details.dst_host: type: keyword
cyberarkpas.audit.extra_details.logon_account: type: keyword
cyberarkpas.audit.extra_details.managed_account: type: keyword
cyberarkpas.audit.extra_details.process_id: type: keyword
cyberarkpas.audit.extra_details.process_name: type: keyword
cyberarkpas.audit.extra_details.protocol: type: keyword
cyberarkpas.audit.extra_details.psmid: type: keyword
cyberarkpas.audit.extra_details.session_duration: type: keyword
cyberarkpas.audit.extra_details.session_id: type: keyword
cyberarkpas.audit.extra_details.src_host: type: keyword
cyberarkpas.audit.extra_details.username: type: keyword
cyberarkpas.audit.extra_details.other: type: flattened
cyberarkpas.audit.file: The name of the target file.

type: keyword
cyberarkpas.audit.gateway_station: The IP of the web application machine (PVWA).

type: ip
cyberarkpas.audit.hostname: The hostname, in upper case.

type: keyword

example: MY-COMPUTER
cyberarkpas.audit.iso_timestamp: The timestamp, in ISO Timestamp format (RFC 3339).

type: date

example: 2013-06-25 10:47:19+00:00
cyberarkpas.audit.issuer: The Vault user who wrote the audit. This is usually the user who performed the operation.

type: keyword
cyberarkpas.audit.location: The target Location (for Location operations).

type: keyword

Field is not indexed.
cyberarkpas.audit.message: A description of the audit records (same information as in the Desc field).

type: keyword
cyberarkpas.audit.message_id: The code ID of the audit records.

type: keyword
cyberarkpas.audit.product: A static value that represents the product.

type: keyword
cyberarkpas.audit.pvwa_details: Specific details of the PVWA audit records.

type: flattened
cyberarkpas.audit.raw: Raw XML for the original audit record. Only present when XSLT file has debugging enabled.

type: keyword

Field is not indexed.
cyberarkpas.audit.reason: The reason entered by the user.

type: text
cyberarkpas.audit.rfc5424: Whether the syslog format complies with RFC5424.

type: boolean

example: True
cyberarkpas.audit.safe: The name of the target Safe.

type: keyword
cyberarkpas.audit.severity: The severity of the audit records.

type: keyword
cyberarkpas.audit.source_user: The name of the Vault user who performed the operation.

type: keyword
cyberarkpas.audit.station: The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.

type: ip
cyberarkpas.audit.target_user: The name of the Vault user on which the operation was performed.

type: keyword
cyberarkpas.audit.timestamp: The timestamp, in MMM DD HH:MM:SS format.

type: keyword

example: Jun 25 10:47:19
cyberarkpas.audit.vendor: A static value that represents the vendor.

type: keyword
cyberarkpas.audit.version: A static value that represents the version of the Vault.

type: keyword

CylanceProtect fields

cylance fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

Docker fields

Docker stats collected from Docker.

docker.container.id: type: alias

alias to: container.id
docker.container.image: type: alias

alias to: container.image.name
docker.container.name: type: alias

alias to: container.name
docker.container.labels: Image labels.

type: object

ECS fields

This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {es}.

This is an exhaustive list, and fields listed here are not necessarily used by Filebeat. The goal of ECS is to enable and encourage users of {es} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events.

See the {ecs-ref}[ECS reference] for more information.

@timestamp: Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

type: date

example: 2016-05-23T08:05:34.853Z

required: True
labels: Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: docker and k8s labels.

type: object

example: {"application": "foo-bar", "env": "production"}
message: For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.

type: match_only_text

example: Hello World
tags: List of keywords used to tag each event.

type: keyword

example: ["production", "env2"]

agent

The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.

agent.build.original: Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required.

type: keyword

example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]
agent.ephemeral_id: Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but agent.id does not.

type: keyword

example: 8a4f500f
agent.id: Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.

type: keyword

example: 8a4f500d
agent.name: Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.

type: keyword

example: foo
agent.type: Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.

type: keyword

example: filebeat
agent.version: Version of the agent.

type: keyword

example: 6.0.0-rc2

as

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.

as.number: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.

type: long

example: 15169
as.organization.name: Organization name.

type: keyword

example: Google LLC
as.organization.name.text: type: match_only_text

client

A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.

client.address: Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword
client.as.number: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.

type: long

example: 15169
client.as.organization.name: Organization name.

type: keyword

example: Google LLC
client.as.organization.name.text: type: match_only_text
client.bytes: Bytes sent from the client to the server.

type: long

example: 184

format: bytes
client.domain: The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.

type: keyword

example: foo.example.com
client.geo.city_name: City name.

type: keyword

example: Montreal
client.geo.continent_code: Two-letter code representing continent’s name.

type: keyword

example: NA
client.geo.continent_name: Name of the continent.

type: keyword

example: North America
client.geo.country_iso_code: Country ISO code.

type: keyword

example: CA
client.geo.country_name: Country name.

type: keyword

example: Canada
client.geo.location: Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }
client.geo.name: User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc
client.geo.postal_code: Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.

type: keyword

example: 94040
client.geo.region_iso_code: Region ISO code.

type: keyword

example: CA-QC
client.geo.region_name: Region name.

type: keyword

example: Quebec
client.geo.timezone: The time zone of the location, such as IANA time zone name.

type: keyword

example: America/Argentina/Buenos_Aires
client.ip: IP address of the client (IPv4 or IPv6).

type: ip
client.mac: MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

type: keyword

example: 00-00-5E-00-53-23
client.nat.ip: Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.

type: ip
client.nat.port: Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.

type: long

format: string
client.packets: Packets sent from the client to the server.

type: long

example: 12
client.port: Port of the client.

type: long

format: string
client.registered_domain: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".

type: keyword

example: example.com
client.subdomain: The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.

type: keyword

example: east
client.top_level_domain: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".

type: keyword

example: co.uk
client.user.domain: Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
client.user.email: User email address.

type: keyword
client.user.full_name: User’s full name, if available.

type: keyword

example: Albert Einstein
client.user.full_name.text: type: match_only_text
client.user.group.domain: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
client.user.group.id: Unique identifier for the group on the system/platform.

type: keyword
client.user.group.name: Name of the group.

type: keyword
client.user.hash: Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword
client.user.id: Unique identifier of the user.

type: keyword

example: S-1-5-21-202424912787-2692429404-2351956786-1000
client.user.name: Short name or login of the user.

type: keyword

example: a.einstein
client.user.name.text: type: match_only_text
client.user.roles: Array of user roles at the time of the event.

type: keyword

example: ["kibana_admin", "reporting_user"]

cloud

Fields related to the cloud or infrastructure the events are coming from.

cloud.account.id: The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.

type: keyword

example: 666777888999
cloud.account.name: The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.

type: keyword

example: elastic-dev
cloud.availability_zone: Availability zone in which this host, resource, or service is located.

type: keyword

example: us-east-1c
cloud.instance.id: Instance ID of the host machine.

type: keyword

example: i-1234567890abcdef0
cloud.instance.name: Instance name of the host machine.

type: keyword
cloud.machine.type: Machine type of the host machine.

type: keyword

example: t2.medium
cloud.origin.account.id: The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.

type: keyword

example: 666777888999
cloud.origin.account.name: The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.

type: keyword

example: elastic-dev
cloud.origin.availability_zone: Availability zone in which this host, resource, or service is located.

type: keyword

example: us-east-1c
cloud.origin.instance.id: Instance ID of the host machine.

type: keyword

example: i-1234567890abcdef0
cloud.origin.instance.name: Instance name of the host machine.

type: keyword
cloud.origin.machine.type: Machine type of the host machine.

type: keyword

example: t2.medium
cloud.origin.project.id: The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.

type: keyword

example: my-project
cloud.origin.project.name: The cloud project name. Examples: Google Cloud Project name, Azure Project name.

type: keyword

example: my project
cloud.origin.provider: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.

type: keyword

example: aws
cloud.origin.region: Region in which this host, resource, or service is located.

type: keyword

example: us-east-1
cloud.origin.service.name: The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.

type: keyword

example: lambda
cloud.project.id: The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.

type: keyword

example: my-project
cloud.project.name: The cloud project name. Examples: Google Cloud Project name, Azure Project name.

type: keyword

example: my project
cloud.provider: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.

type: keyword

example: aws
cloud.region: Region in which this host, resource, or service is located.

type: keyword

example: us-east-1
cloud.service.name: The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.

type: keyword

example: lambda
cloud.target.account.id: The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.

type: keyword

example: 666777888999
cloud.target.account.name: The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.

type: keyword

example: elastic-dev
cloud.target.availability_zone: Availability zone in which this host, resource, or service is located.

type: keyword

example: us-east-1c
cloud.target.instance.id: Instance ID of the host machine.

type: keyword

example: i-1234567890abcdef0
cloud.target.instance.name: Instance name of the host machine.

type: keyword
cloud.target.machine.type: Machine type of the host machine.

type: keyword

example: t2.medium
cloud.target.project.id: The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.

type: keyword

example: my-project
cloud.target.project.name: The cloud project name. Examples: Google Cloud Project name, Azure Project name.

type: keyword

example: my project
cloud.target.provider: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.

type: keyword

example: aws
cloud.target.region: Region in which this host, resource, or service is located.

type: keyword

example: us-east-1
cloud.target.service.name: The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.

type: keyword

example: lambda

code_signature

These fields contain information about binary code signatures.

code_signature.digest_algorithm: The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.

type: keyword

example: sha256
code_signature.exists: Boolean to capture if a signature is present.

type: boolean

example: true
code_signature.signing_id: The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.

type: keyword

example: com.apple.xpc.proxy
code_signature.status: Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.

type: keyword

example: ERROR_UNTRUSTED_ROOT
code_signature.subject_name: Subject name of the code signer

type: keyword

example: Microsoft Corporation
code_signature.team_id: The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.

type: keyword

example: EQHXZ8M8AV
code_signature.timestamp: Date and time when the code signature was generated and signed.

type: date

example: 2021-01-01T12:10:30Z
code_signature.trusted: Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.

type: boolean

example: true
code_signature.valid: Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.

type: boolean

example: true

container

Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.

container.cpu.usage: Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.

type: scaled_float
container.disk.read.bytes: The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.

type: long
container.disk.write.bytes: The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.

type: long
container.id: Unique container id.

type: keyword
container.image.name: Name of the image the container was built on.

type: keyword
container.image.tag: Container image tags.

type: keyword
container.labels: Image labels.

type: object
container.memory.usage: Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.

type: scaled_float
container.name: Container name.

type: keyword
container.network.egress.bytes: The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.

type: long
container.network.ingress.bytes: The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.

type: long
container.runtime: Runtime managing this container.

type: keyword

example: docker

data_stream

The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: {data_stream.type}-{data_stream.dataset}-{data_stream.namespace}. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this blog post. An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, or #. Please see the Elasticsearch reference for additional restrictions.

data_stream.dataset: The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

type: constant_keyword

example: nginx.access
data_stream.namespace: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

type: constant_keyword

example: production
data_stream.type: An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

type: constant_keyword

example: logs

destination

Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.

destination.address: Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword
destination.as.number: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.

type: long

example: 15169
destination.as.organization.name: Organization name.

type: keyword

example: Google LLC
destination.as.organization.name.text: type: match_only_text
destination.bytes: Bytes sent from the destination to the source.

type: long

example: 184

format: bytes
destination.domain: The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.

type: keyword

example: foo.example.com
destination.geo.city_name: City name.

type: keyword

example: Montreal
destination.geo.continent_code: Two-letter code representing continent’s name.

type: keyword

example: NA
destination.geo.continent_name: Name of the continent.

type: keyword

example: North America
destination.geo.country_iso_code: Country ISO code.

type: keyword

example: CA
destination.geo.country_name: Country name.

type: keyword

example: Canada
destination.geo.location: Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }
destination.geo.name: User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc
destination.geo.postal_code: Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.

type: keyword

example: 94040
destination.geo.region_iso_code: Region ISO code.

type: keyword

example: CA-QC
destination.geo.region_name: Region name.

type: keyword

example: Quebec
destination.geo.timezone: The time zone of the location, such as IANA time zone name.

type: keyword

example: America/Argentina/Buenos_Aires
destination.ip: IP address of the destination (IPv4 or IPv6).

type: ip
destination.mac: MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

type: keyword

example: 00-00-5E-00-53-23
destination.nat.ip: Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.

type: ip
destination.nat.port: Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers.

type: long

format: string
destination.packets: Packets sent from the destination to the source.

type: long

example: 12
destination.port: Port of the destination.

type: long

format: string
destination.registered_domain: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".

type: keyword

example: example.com
destination.subdomain: The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.

type: keyword

example: east
destination.top_level_domain: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".

type: keyword

example: co.uk
destination.user.domain: Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
destination.user.email: User email address.

type: keyword
destination.user.full_name: User’s full name, if available.

type: keyword

example: Albert Einstein
destination.user.full_name.text: type: match_only_text
destination.user.group.domain: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
destination.user.group.id: Unique identifier for the group on the system/platform.

type: keyword
destination.user.group.name: Name of the group.

type: keyword
destination.user.hash: Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword
destination.user.id: Unique identifier of the user.

type: keyword

example: S-1-5-21-202424912787-2692429404-2351956786-1000
destination.user.name: Short name or login of the user.

type: keyword

example: a.einstein
destination.user.name.text: type: match_only_text
destination.user.roles: Array of user roles at the time of the event.

type: keyword

example: ["kibana_admin", "reporting_user"]

dll

These fields contain information about code libraries dynamically loaded into processes.

Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (.dll) commonly used on Windows * Shared Object (.so) commonly used on Unix-like operating systems * Dynamic library (.dylib) commonly used on macOS

dll.code_signature.digest_algorithm: The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.

type: keyword

example: sha256
dll.code_signature.exists: Boolean to capture if a signature is present.

type: boolean

example: true
dll.code_signature.signing_id: The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.

type: keyword

example: com.apple.xpc.proxy
dll.code_signature.status: Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.

type: keyword

example: ERROR_UNTRUSTED_ROOT
dll.code_signature.subject_name: Subject name of the code signer

type: keyword

example: Microsoft Corporation
dll.code_signature.team_id: The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.

type: keyword

example: EQHXZ8M8AV
dll.code_signature.timestamp: Date and time when the code signature was generated and signed.

type: date

example: 2021-01-01T12:10:30Z
dll.code_signature.trusted: Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.

type: boolean

example: true
dll.code_signature.valid: Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.

type: boolean

example: true
dll.hash.md5: MD5 hash.

type: keyword
dll.hash.sha1: SHA1 hash.

type: keyword
dll.hash.sha256: SHA256 hash.

type: keyword
dll.hash.sha512: SHA512 hash.

type: keyword
dll.hash.ssdeep: SSDEEP hash.

type: keyword
dll.name: Name of the library. This generally maps to the name of the file on disk.

type: keyword

example: kernel32.dll
dll.path: Full file path of the library.

type: keyword

example: C:\Windows\System32\kernel32.dll
dll.pe.architecture: CPU architecture target for the file.

type: keyword

example: x64
dll.pe.company: Internal company name of the file, provided at compile-time.

type: keyword

example: Microsoft Corporation
dll.pe.description: Internal description of the file, provided at compile-time.

type: keyword

example: Paint
dll.pe.file_version: Internal version of the file, provided at compile-time.

type: keyword

example: 6.3.9600.17415
dll.pe.imphash: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.

type: keyword

example: 0c6803c4e922103c4dca5963aad36ddf
dll.pe.original_file_name: Internal name of the file, provided at compile-time.

type: keyword

example: MSPAINT.EXE
dll.pe.product: Internal product name of the file, provided at compile-time.

type: keyword

example: Microsoft® Windows® Operating System

dns

Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (dns.type:query) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (dns.type:answer).

dns.answers: An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the data key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.

type: object
dns.answers.class: The class of DNS data contained in this resource record.

type: keyword

example: IN
dns.answers.data: The data describing the resource. The meaning of this data depends on the type and class of the resource record.

type: keyword

example: 10.10.10.10
dns.answers.name: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s name should be the one that corresponds with the answer’s data. It should not simply be the original question.name repeated.

type: keyword

example: www.example.com
dns.answers.ttl: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.

type: long

example: 180
dns.answers.type: The type of data contained in this resource record.

type: keyword

example: CNAME
dns.header_flags: Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.

type: keyword

example: ["RD", "RA"]
dns.id: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.

type: keyword

example: 62111
dns.op_code: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.

type: keyword

example: QUERY
dns.question.class: The class of records being queried.

type: keyword

example: IN
dns.question.name: The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.

type: keyword

example: www.example.com
dns.question.registered_domain: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".

type: keyword

example: example.com
dns.question.subdomain: The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.

type: keyword

example: www
dns.question.top_level_domain: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".

type: keyword

example: co.uk
dns.question.type: The type of record being queried.

type: keyword

example: AAAA
dns.resolved_ip: Array containing all IPs seen in answers.data. The answers array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to dns.resolved_ip makes it possible to index them as IP addresses, and makes them easier to visualize and query for.

type: ip

example: ["10.10.10.10", "10.10.10.11"]
dns.response_code: The DNS response code.

type: keyword

example: NOERROR
dns.type: The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type dns.type:query. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.

type: keyword

example: answer

ecs

Meta-information specific to ECS.

ecs.version: ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.

type: keyword

example: 1.0.0

required: True

elf

These fields contain Linux Executable Linkable Format (ELF) metadata.

elf.architecture: Machine architecture of the ELF file.

type: keyword

example: x86-64
elf.byte_order: Byte sequence of ELF file.

type: keyword

example: Little Endian
elf.cpu_type: CPU type of the ELF file.

type: keyword

example: Intel
elf.creation_date: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.

type: date
elf.exports: List of exported element names and types.

type: flattened
elf.header.abi_version: Version of the ELF Application Binary Interface (ABI).

type: keyword
elf.header.class: Header class of the ELF file.

type: keyword
elf.header.data: Data table of the ELF header.

type: keyword
elf.header.entrypoint: Header entrypoint of the ELF file.

type: long

format: string
elf.header.object_version: "0x1" for original ELF files.

type: keyword
elf.header.os_abi: Application Binary Interface (ABI) of the Linux OS.

type: keyword
elf.header.type: Header type of the ELF file.

type: keyword
elf.header.version: Version of the ELF header.

type: keyword
elf.imports: List of imported element names and types.

type: flattened
elf.sections: An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.sections.*.

type: nested
elf.sections.chi2: Chi-square probability distribution of the section.

type: long

format: number
elf.sections.entropy: Shannon entropy calculation from the section.

type: long

format: number
elf.sections.flags: ELF Section List flags.

type: keyword
elf.sections.name: ELF Section List name.

type: keyword
elf.sections.physical_offset: ELF Section List offset.

type: keyword
elf.sections.physical_size: ELF Section List physical size.

type: long

format: bytes
elf.sections.type: ELF Section List type.

type: keyword
elf.sections.virtual_address: ELF Section List virtual address.

type: long

format: string
elf.sections.virtual_size: ELF Section List virtual size.

type: long

format: string
elf.segments: An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.segments.*.

type: nested
elf.segments.sections: ELF object segment sections.

type: keyword
elf.segments.type: ELF object segment type.

type: keyword
elf.shared_libraries: List of shared libraries used by this ELF object.

type: keyword
elf.telfhash: telfhash symbol hash for ELF file.

type: keyword

error

These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.

error.code: Error code describing the error.

type: keyword
error.id: Unique identifier for the error.

type: keyword
error.message: Error message.

type: match_only_text
error.stack_trace: The stack trace of this error in plain text.

type: wildcard
error.stack_trace.text: type: match_only_text
error.type: The type of the error, for example the class name of the exception.

type: keyword

example: java.lang.NullPointerException

event

The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the event.kind definition in this section for additional details about metric and state events.

event.action: The action captured by the event. This describes the information in the event. It is more specific than event.category. Examples are group-add, process-started, file-created. The value is normally defined by the implementer.

type: keyword

example: user-password-change
event.agent_id_status: Agents are normally responsible for populating the agent.id field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the agent.id value in events can be checked against the certificate. If the values match then event.agent_id_status: verified is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: verified - The agent.id field value matches expected value obtained from auth metadata. mismatch - The agent.id field value does not match the expected value obtained from auth metadata. missing - There was no agent.id field in the event to validate. auth_metadata_missing - There was no auth metadata or it was missing information about the agent ID.

type: keyword

example: verified
event.category: This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.

type: keyword

example: authentication
event.code: Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.

type: keyword

example: 4648
event.created: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.

type: date

example: 2016-05-23T08:05:34.857Z
event.dataset: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.

type: keyword

example: apache.access
event.duration: Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.

type: long

format: duration
event.end: event.end contains the date when the event ended or when the activity was last observed.

type: date
event.hash: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.

type: keyword

example: 123456789012345678901234567890ABCD
event.id: Unique ID to describe the event.

type: keyword

example: 8a4f500d
event.ingested: Timestamp when an event arrived in the central data store. This is different from @timestamp, which is when the event originally occurred. It’s also different from event.created, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: @timestamp < event.created < event.ingested.

type: date

example: 2016-05-23T08:05:35.101Z
event.kind: This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.

type: keyword

example: alert
event.module: Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.

type: keyword

example: apache
event.original: Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source. If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference.

type: keyword

example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232

Field is not indexed.
event.outcome: This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info, or any events for which an outcome does not make logical sense.

type: keyword

example: success
event.provider: Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).

type: keyword

example: kernel
event.reason: Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where event.action captures the action from the event, event.reason describes why that action was taken. For example, a web proxy with an event.action which denied the request may also populate event.reason with the reason why (e.g. blocked site).

type: keyword

example: Terminated an unexpected process
event.reference: Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by event.kind:alert, are a common use case for this field.

type: keyword

example: https://system.example.com/event/#0001234
event.risk_score: Risk score or priority of the event (e.g. security solutions). Use your system’s original value here.

type: float
event.risk_score_norm: Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.

type: float
event.sequence: Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.

type: long

format: string
event.severity: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in log.syslog.severity.code. event.severity is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the log.syslog.severity.code to event.severity.

type: long

example: 7

format: string
event.start: event.start contains the date when the event started or when the activity was first observed.

type: date
event.timezone: This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").

type: keyword
event.type: This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.

type: keyword
event.url: URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by event.kind:alert, are a common use case for this field.

type: keyword

example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe

faas

The user fields describe information about the function as a service that is relevant to the event.

faas.coldstart: Boolean value indicating a cold start of a function.

type: boolean
faas.execution: The execution ID of the current function execution.

type: keyword

example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
faas.trigger: Details about the function trigger.

type: nested
faas.trigger.request_id: The ID of the trigger request , message, event, etc.

type: keyword

example: 123456789
faas.trigger.type: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other

type: keyword

example: http

file

A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.

file.accessed: Last time the file was accessed. Note that not all filesystems keep track of access time.

type: date
file.attributes: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.

type: keyword

example: ["readonly", "system"]
file.code_signature.digest_algorithm: The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.

type: keyword

example: sha256
file.code_signature.exists: Boolean to capture if a signature is present.

type: boolean

example: true
file.code_signature.signing_id: The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.

type: keyword

example: com.apple.xpc.proxy
file.code_signature.status: Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.

type: keyword

example: ERROR_UNTRUSTED_ROOT
file.code_signature.subject_name: Subject name of the code signer

type: keyword

example: Microsoft Corporation
file.code_signature.team_id: The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.

type: keyword

example: EQHXZ8M8AV
file.code_signature.timestamp: Date and time when the code signature was generated and signed.

type: date

example: 2021-01-01T12:10:30Z
file.code_signature.trusted: Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.

type: boolean

example: true
file.code_signature.valid: Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.

type: boolean

example: true
file.created: File creation time. Note that not all filesystems store the creation time.

type: date
file.ctime: Last time the file attributes or metadata changed. Note that changes to the file content will update mtime. This implies ctime will be adjusted at the same time, since mtime is an attribute of the file.

type: date
file.device: Device that is the source of the file.

type: keyword

example: sda
file.directory: Directory where the file is located. It should include the drive letter, when appropriate.

type: keyword

example: /home/alice
file.drive_letter: Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.

type: keyword

example: C
file.elf.architecture: Machine architecture of the ELF file.

type: keyword

example: x86-64
file.elf.byte_order: Byte sequence of ELF file.

type: keyword

example: Little Endian
file.elf.cpu_type: CPU type of the ELF file.

type: keyword

example: Intel
file.elf.creation_date: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.

type: date
file.elf.exports: List of exported element names and types.

type: flattened
file.elf.header.abi_version: Version of the ELF Application Binary Interface (ABI).

type: keyword
file.elf.header.class: Header class of the ELF file.

type: keyword
file.elf.header.data: Data table of the ELF header.

type: keyword
file.elf.header.entrypoint: Header entrypoint of the ELF file.

type: long

format: string
file.elf.header.object_version: "0x1" for original ELF files.

type: keyword
file.elf.header.os_abi: Application Binary Interface (ABI) of the Linux OS.

type: keyword
file.elf.header.type: Header type of the ELF file.

type: keyword
file.elf.header.version: Version of the ELF header.

type: keyword
file.elf.imports: List of imported element names and types.

type: flattened
file.elf.sections: An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.sections.*.

type: nested
file.elf.sections.chi2: Chi-square probability distribution of the section.

type: long

format: number
file.elf.sections.entropy: Shannon entropy calculation from the section.

type: long

format: number
file.elf.sections.flags: ELF Section List flags.

type: keyword
file.elf.sections.name: ELF Section List name.

type: keyword
file.elf.sections.physical_offset: ELF Section List offset.

type: keyword
file.elf.sections.physical_size: ELF Section List physical size.

type: long

format: bytes
file.elf.sections.type: ELF Section List type.

type: keyword
file.elf.sections.virtual_address: ELF Section List virtual address.

type: long

format: string
file.elf.sections.virtual_size: ELF Section List virtual size.

type: long

format: string
file.elf.segments: An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.segments.*.

type: nested
file.elf.segments.sections: ELF object segment sections.

type: keyword
file.elf.segments.type: ELF object segment type.

type: keyword
file.elf.shared_libraries: List of shared libraries used by this ELF object.

type: keyword
file.elf.telfhash: telfhash symbol hash for ELF file.

type: keyword
file.extension: File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").

type: keyword

example: png
file.fork_name: A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: C:\path\to\filename.extension:some_fork_name, and some_fork_name is the value that should populate fork_name. filename.extension should populate file.name, and extension should populate file.extension. The full path, file.path, will include the fork name.

type: keyword

example: Zone.Identifer
file.gid: Primary group ID (GID) of the file.

type: keyword

example: 1001
file.group: Primary group name of the file.

type: keyword

example: alice
file.hash.md5: MD5 hash.

type: keyword
file.hash.sha1: SHA1 hash.

type: keyword
file.hash.sha256: SHA256 hash.

type: keyword
file.hash.sha512: SHA512 hash.

type: keyword
file.hash.ssdeep: SSDEEP hash.

type: keyword
file.inode: Inode representing the file in the filesystem.

type: keyword

example: 256383
file.mime_type: MIME type should identify the format of the file or stream of bytes using IANA official types, where possible. When more than one type is applicable, the most specific type should be used.

type: keyword
file.mode: Mode of the file in octal representation.

type: keyword

example: 0640
file.mtime: Last time the file content was modified.

type: date
file.name: Name of the file including the extension, without the directory.

type: keyword

example: example.png
file.owner: File owner’s username.

type: keyword

example: alice
file.path: Full path to the file, including the file name. It should include the drive letter, when appropriate.

type: keyword

example: /home/alice/example.png
file.path.text: type: match_only_text
file.pe.architecture: CPU architecture target for the file.

type: keyword

example: x64
file.pe.company: Internal company name of the file, provided at compile-time.

type: keyword

example: Microsoft Corporation
file.pe.description: Internal description of the file, provided at compile-time.

type: keyword

example: Paint
file.pe.file_version: Internal version of the file, provided at compile-time.

type: keyword

example: 6.3.9600.17415
file.pe.imphash: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.

type: keyword

example: 0c6803c4e922103c4dca5963aad36ddf
file.pe.original_file_name: Internal name of the file, provided at compile-time.

type: keyword

example: MSPAINT.EXE
file.pe.product: Internal product name of the file, provided at compile-time.

type: keyword

example: Microsoft® Windows® Operating System
file.size: File size in bytes. Only relevant when file.type is "file".

type: long

example: 16384
file.target_path: Target path for symlinks.

type: keyword
file.target_path.text: type: match_only_text
file.type: File type (file, dir, or symlink).

type: keyword

example: file
file.uid: The user ID (UID) or security identifier (SID) of the file owner.

type: keyword

example: 1001
file.x509.alternative_names: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.

type: keyword

example: *.elastic.co
file.x509.issuer.common_name: List of common name (CN) of issuing certificate authority.

type: keyword

example: Example SHA2 High Assurance Server CA
file.x509.issuer.country: List of country © codes

type: keyword

example: US
file.x509.issuer.distinguished_name: Distinguished name (DN) of issuing certificate authority.

type: keyword

example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
file.x509.issuer.locality: List of locality names (L)

type: keyword

example: Mountain View
file.x509.issuer.organization: List of organizations (O) of issuing certificate authority.

type: keyword

example: Example Inc
file.x509.issuer.organizational_unit: List of organizational units (OU) of issuing certificate authority.

type: keyword

example: www.example.com
file.x509.issuer.state_or_province: List of state or province names (ST, S, or P)

type: keyword

example: California
file.x509.not_after: Time at which the certificate is no longer considered valid.

type: date

example: 2020-07-16 03:15:39+00:00
file.x509.not_before: Time at which the certificate is first considered valid.

type: date

example: 2019-08-16 01:40:25+00:00
file.x509.public_key_algorithm: Algorithm used to generate the public key.

type: keyword

example: RSA
file.x509.public_key_curve: The curve used by the elliptic curve public key algorithm. This is algorithm specific.

type: keyword

example: nistp521
file.x509.public_key_exponent: Exponent used to derive the public key. This is algorithm specific.

type: long

example: 65537

Field is not indexed.
file.x509.public_key_size: The size of the public key space in bits.

type: long

example: 2048
file.x509.serial_number: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.

type: keyword

example: 55FBB9C7DEBF09809D12CCAA
file.x509.signature_algorithm: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.

type: keyword

example: SHA256-RSA
file.x509.subject.common_name: List of common names (CN) of subject.

type: keyword

example: shared.global.example.net
file.x509.subject.country: List of country © code

type: keyword

example: US
file.x509.subject.distinguished_name: Distinguished name (DN) of the certificate subject entity.

type: keyword

example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
file.x509.subject.locality: List of locality names (L)

type: keyword

example: San Francisco
file.x509.subject.organization: List of organizations (O) of subject.

type: keyword

example: Example, Inc.
file.x509.subject.organizational_unit: List of organizational units (OU) of subject.

type: keyword
file.x509.subject.state_or_province: List of state or province names (ST, S, or P)

type: keyword

example: California
file.x509.version_number: Version of x509 format.

type: keyword

example: 3

geo

Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.

geo.city_name: City name.

type: keyword

example: Montreal
geo.continent_code: Two-letter code representing continent’s name.

type: keyword

example: NA
geo.continent_name: Name of the continent.

type: keyword

example: North America
geo.country_iso_code: Country ISO code.

type: keyword

example: CA
geo.country_name: Country name.

type: keyword

example: Canada
geo.location: Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }
geo.name: User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc
geo.postal_code: Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.

type: keyword

example: 94040
geo.region_iso_code: Region ISO code.

type: keyword

example: CA-QC
geo.region_name: Region name.

type: keyword

example: Quebec
geo.timezone: The time zone of the location, such as IANA time zone name.

type: keyword

example: America/Argentina/Buenos_Aires

group

The group fields are meant to represent groups that are relevant to the event.

group.domain: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
group.id: Unique identifier for the group on the system/platform.

type: keyword
group.name: Name of the group.

type: keyword

hash

The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).

hash.md5: MD5 hash.

type: keyword
hash.sha1: SHA1 hash.

type: keyword
hash.sha256: SHA256 hash.

type: keyword
hash.sha512: SHA512 hash.

type: keyword
hash.ssdeep: SSDEEP hash.

type: keyword

host

A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.

host.architecture: Operating system architecture.

type: keyword

example: x86_64
host.cpu.usage: Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1.

type: scaled_float
host.disk.read.bytes: The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.

type: long
host.disk.write.bytes: The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.

type: long
host.domain: Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider.

type: keyword

example: CONTOSO
host.geo.city_name: City name.

type: keyword

example: Montreal
host.geo.continent_code: Two-letter code representing continent’s name.

type: keyword

example: NA
host.geo.continent_name: Name of the continent.

type: keyword

example: North America
host.geo.country_iso_code: Country ISO code.

type: keyword

example: CA
host.geo.country_name: Country name.

type: keyword

example: Canada
host.geo.location: Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }
host.geo.name: User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc
host.geo.postal_code: Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.

type: keyword

example: 94040
host.geo.region_iso_code: Region ISO code.

type: keyword

example: CA-QC
host.geo.region_name: Region name.

type: keyword

example: Quebec
host.geo.timezone: The time zone of the location, such as IANA time zone name.

type: keyword

example: America/Argentina/Buenos_Aires
host.hostname: Hostname of the host. It normally contains what the hostname command returns on the host machine.

type: keyword
host.id: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.

type: keyword
host.ip: Host ip addresses.

type: ip
host.mac: Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

type: keyword

example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
host.name: Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.

type: keyword
host.network.egress.bytes: The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.

type: long
host.network.egress.packets: The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.

type: long
host.network.ingress.bytes: The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.

type: long
host.network.ingress.packets: The number of packets (gauge) received on all network interfaces by the host since the last metric collection.

type: long
host.os.family: OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian
host.os.full: Operating system name, including the version or code name.

type: keyword

example: Mac OS Mojave
host.os.full.text: type: match_only_text
host.os.kernel: Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic
host.os.name: Operating system name, without the version.

type: keyword

example: Mac OS X
host.os.name.text: type: match_only_text
host.os.platform: Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin
host.os.type: Use the os.type field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.

type: keyword

example: macos
host.os.version: Operating system version as a raw string.

type: keyword

example: 10.14.1
host.type: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.

type: keyword
host.uptime: Seconds the host has been up.

type: long

example: 1325

http

Fields related to HTTP activity. Use the url field set to store the url of the request.

http.request.body.bytes: Size in bytes of the request body.

type: long

example: 887

format: bytes
http.request.body.content: The full HTTP request body.

type: wildcard

example: Hello world
http.request.body.content.text: type: match_only_text
http.request.bytes: Total size in bytes of the request (body and headers).

type: long

example: 1437

format: bytes
http.request.id: A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as X-Request-ID or X-Correlation-ID.

type: keyword

example: 123e4567-e89b-12d3-a456-426614174000
http.request.method: HTTP request method. The value should retain its casing from the original event. For example, GET, get, and GeT are all considered valid values for this field.

type: keyword

example: POST
http.request.mime_type: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the Content-Type header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients.

type: keyword

example: image/gif
http.request.referrer: Referrer for this HTTP request.

type: keyword

example: https://blog.example.com/
http.response.body.bytes: Size in bytes of the response body.

type: long

example: 887

format: bytes
http.response.body.content: The full HTTP response body.

type: wildcard

example: Hello world
http.response.body.content.text: type: match_only_text
http.response.bytes: Total size in bytes of the response (body and headers).

type: long

example: 1437

format: bytes
http.response.mime_type: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the Content-Type header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers.

type: keyword

example: image/gif
http.response.status_code: HTTP response status code.

type: long

example: 404

format: string
http.version: HTTP version.

type: keyword

example: 1.1

interface

The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.

interface.alias: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.

type: keyword

example: outside
interface.id: Interface ID as reported by an observer (typically SNMP interface ID).

type: keyword

example: 10
interface.name: Interface name as reported by the system.

type: keyword

example: eth0

log

Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under log.syslog.. The details specific to your event source are typically not logged under log., but rather in event.* or in other ECS fields.

log.file.path: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field.

type: keyword

example: /var/log/fun-times.log
log.level: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in log.level. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are warn, err, i, informational.

type: keyword

example: error
log.logger: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.

type: keyword

example: org.elasticsearch.bootstrap.Bootstrap
log.origin.file.line: The line number of the file containing the source code which originated the log event.

type: long

example: 42
log.origin.file.name: The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is log.file.path.

type: keyword

example: Bootstrap.java
log.origin.function: The name of the function or method which originated the log event.

type: keyword

example: init
log.syslog: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.

type: object
log.syslog.facility.code: The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.

type: long

example: 23

format: string
log.syslog.facility.name: The Syslog text-based facility of the log event, if available.

type: keyword

example: local7
log.syslog.priority: Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.

type: long

example: 135

format: string
log.syslog.severity.code: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to event.severity. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to event.severity.

type: long

example: 3
log.syslog.severity.name: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to log.level. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to log.level.

type: keyword

example: Error

network

The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.

network.application: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a https network connection, like facebook or twitter. The field value must be normalized to lowercase for querying.

type: keyword

example: aim
network.bytes: Total bytes transferred in both directions. If source.bytes and destination.bytes are known, network.bytes is their sum.

type: long

example: 368

format: bytes
network.community_id: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec.

type: keyword

example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
network.direction: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown

When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.

type: keyword

example: inbound
network.forwarded_ip: Host IP address when the source IP address is the proxy.

type: ip

example: 192.1.1.2
network.iana_number: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.

type: keyword

example: 6
network.inner: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)

type: object
network.inner.vlan.id: VLAN ID as reported by the observer.

type: keyword

example: 10
network.inner.vlan.name: Optional VLAN name as reported by the observer.

type: keyword

example: outside
network.name: Name given by operators to sections of their network.

type: keyword

example: Guest Wifi
network.packets: Total packets transferred in both directions. If source.packets and destination.packets are known, network.packets is their sum.

type: long

example: 24
network.protocol: In the OSI Model this would be the Application Layer protocol. For example, http, dns, or ssh. The field value must be normalized to lowercase for querying.

type: keyword

example: http
network.transport: Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying.

type: keyword

example: tcp
network.type: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying.

type: keyword

example: ipv4
network.vlan.id: VLAN ID as reported by the observer.

type: keyword

example: 10
network.vlan.name: Optional VLAN name as reported by the observer.

type: keyword

example: outside

observer

An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.

observer.egress: Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.

type: object
observer.egress.interface.alias: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.

type: keyword

example: outside
observer.egress.interface.id: Interface ID as reported by an observer (typically SNMP interface ID).

type: keyword

example: 10
observer.egress.interface.name: Interface name as reported by the system.

type: keyword

example: eth0
observer.egress.vlan.id: VLAN ID as reported by the observer.

type: keyword

example: 10
observer.egress.vlan.name: Optional VLAN name as reported by the observer.

type: keyword

example: outside
observer.egress.zone: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.

type: keyword

example: Public_Internet
observer.geo.city_name: City name.

type: keyword

example: Montreal
observer.geo.continent_code: Two-letter code representing continent’s name.

type: keyword

example: NA
observer.geo.continent_name: Name of the continent.

type: keyword

example: North America
observer.geo.country_iso_code: Country ISO code.

type: keyword

example: CA
observer.geo.country_name: Country name.

type: keyword

example: Canada
observer.geo.location: Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }
observer.geo.name: User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc
observer.geo.postal_code: Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.

type: keyword

example: 94040
observer.geo.region_iso_code: Region ISO code.

type: keyword

example: CA-QC
observer.geo.region_name: Region name.

type: keyword

example: Quebec
observer.geo.timezone: The time zone of the location, such as IANA time zone name.

type: keyword

example: America/Argentina/Buenos_Aires
observer.hostname: Hostname of the observer.

type: keyword
observer.ingress: Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.

type: object
observer.ingress.interface.alias: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.

type: keyword

example: outside
observer.ingress.interface.id: Interface ID as reported by an observer (typically SNMP interface ID).

type: keyword

example: 10
observer.ingress.interface.name: Interface name as reported by the system.

type: keyword

example: eth0
observer.ingress.vlan.id: VLAN ID as reported by the observer.

type: keyword

example: 10
observer.ingress.vlan.name: Optional VLAN name as reported by the observer.

type: keyword

example: outside
observer.ingress.zone: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.

type: keyword

example: DMZ
observer.ip: IP addresses of the observer.

type: ip
observer.mac: MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

type: keyword

example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
observer.name: Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.

type: keyword

example: 1_proxySG
observer.os.family: OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian
observer.os.full: Operating system name, including the version or code name.

type: keyword

example: Mac OS Mojave
observer.os.full.text: type: match_only_text
observer.os.kernel: Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic
observer.os.name: Operating system name, without the version.

type: keyword

example: Mac OS X
observer.os.name.text: type: match_only_text
observer.os.platform: Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin
observer.os.type: Use the os.type field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.

type: keyword

example: macos
observer.os.version: Operating system version as a raw string.

type: keyword

example: 10.14.1
observer.product: The product name of the observer.

type: keyword

example: s200
observer.serial_number: Observer serial number.

type: keyword
observer.type: The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are forwarder, firewall, ids, ips, proxy, poller, sensor, APM server.

type: keyword

example: firewall
observer.vendor: Vendor name of the observer.

type: keyword

example: Symantec
observer.version: Observer version.

type: keyword

orchestrator

Fields that describe the resources which container orchestrators manage or act upon.

orchestrator.api_version: API version being used to carry out the action

type: keyword

example: v1beta1
orchestrator.cluster.name: Name of the cluster.

type: keyword
orchestrator.cluster.url: URL of the API used to manage the cluster.

type: keyword
orchestrator.cluster.version: The version of the cluster.

type: keyword
orchestrator.namespace: Namespace in which the action is taking place.

type: keyword

example: kube-system
orchestrator.organization: Organization affected by the event (for multi-tenant orchestrator setups).

type: keyword

example: elastic
orchestrator.resource.name: Name of the resource being acted upon.

type: keyword

example: test-pod-cdcws
orchestrator.resource.type: Type of resource being acted upon.

type: keyword

example: service
orchestrator.type: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).

type: keyword

example: kubernetes

organization

The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.

organization.id: Unique identifier for the organization.

type: keyword
organization.name: Organization name.

type: keyword
organization.name.text: type: match_only_text

os

The OS fields contain information about the operating system.

os.family: OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian
os.full: Operating system name, including the version or code name.

type: keyword

example: Mac OS Mojave
os.full.text: type: match_only_text
os.kernel: Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic
os.name: Operating system name, without the version.

type: keyword

example: Mac OS X
os.name.text: type: match_only_text
os.platform: Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin
os.type: Use the os.type field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.

type: keyword

example: macos
os.version: Operating system version as a raw string.

type: keyword

example: 10.14.1

package

These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.

package.architecture: Package architecture.

type: keyword

example: x86_64
package.build_version: Additional information about the build version of the installed package. For example use the commit SHA of a non-released package.

type: keyword

example: 36f4f7e89dd61b0988b12ee000b98966867710cd
package.checksum: Checksum of the installed package for verification.

type: keyword

example: 68b329da9893e34099c7d8ad5cb9c940
package.description: Description of the package.

type: keyword

example: Open source programming language to build simple/reliable/efficient software.
package.install_scope: Indicating how the package was installed, e.g. user-local, global.

type: keyword

example: global
package.installed: Time when package was installed.

type: date
package.license: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/).

type: keyword

example: Apache License 2.0
package.name: Package name

type: keyword

example: go
package.path: Path where the package is installed.

type: keyword

example: /usr/local/Cellar/go/1.12.9/
package.reference: Home page or reference URL of the software in this package, if available.

type: keyword

example: https://golang.org
package.size: Package size in bytes.

type: long

example: 62231

format: string
package.type: Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.

type: keyword

example: rpm
package.version: Package version

type: keyword

example: 1.12.9

pe

These fields contain Windows Portable Executable (PE) metadata.

pe.architecture: CPU architecture target for the file.

type: keyword

example: x64
pe.company: Internal company name of the file, provided at compile-time.

type: keyword

example: Microsoft Corporation
pe.description: Internal description of the file, provided at compile-time.

type: keyword

example: Paint
pe.file_version: Internal version of the file, provided at compile-time.

type: keyword

example: 6.3.9600.17415
pe.imphash: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.

type: keyword

example: 0c6803c4e922103c4dca5963aad36ddf
pe.original_file_name: Internal name of the file, provided at compile-time.

type: keyword

example: MSPAINT.EXE
pe.product: Internal product name of the file, provided at compile-time.

type: keyword

example: Microsoft® Windows® Operating System

process

These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The process.pid often stays in the metric itself and is copied to the global field for correlation.

process.args: Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.

type: keyword

example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
process.args_count: Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.

type: long

example: 4
process.code_signature.digest_algorithm: The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.

type: keyword

example: sha256
process.code_signature.exists: Boolean to capture if a signature is present.

type: boolean

example: true
process.code_signature.signing_id: The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.

type: keyword

example: com.apple.xpc.proxy
process.code_signature.status: Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.

type: keyword

example: ERROR_UNTRUSTED_ROOT
process.code_signature.subject_name: Subject name of the code signer

type: keyword

example: Microsoft Corporation
process.code_signature.team_id: The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.

type: keyword

example: EQHXZ8M8AV
process.code_signature.timestamp: Date and time when the code signature was generated and signed.

type: date

example: 2021-01-01T12:10:30Z
process.code_signature.trusted: Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.

type: boolean

example: true
process.code_signature.valid: Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.

type: boolean

example: true
process.command_line: Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.

type: wildcard

example: /usr/bin/ssh -l user 10.0.0.16
process.command_line.text: type: match_only_text
process.elf.architecture: Machine architecture of the ELF file.

type: keyword

example: x86-64
process.elf.byte_order: Byte sequence of ELF file.

type: keyword

example: Little Endian
process.elf.cpu_type: CPU type of the ELF file.

type: keyword

example: Intel
process.elf.creation_date: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.

type: date
process.elf.exports: List of exported element names and types.

type: flattened
process.elf.header.abi_version: Version of the ELF Application Binary Interface (ABI).

type: keyword
process.elf.header.class: Header class of the ELF file.

type: keyword
process.elf.header.data: Data table of the ELF header.

type: keyword
process.elf.header.entrypoint: Header entrypoint of the ELF file.

type: long

format: string
process.elf.header.object_version: "0x1" for original ELF files.

type: keyword
process.elf.header.os_abi: Application Binary Interface (ABI) of the Linux OS.

type: keyword
process.elf.header.type: Header type of the ELF file.

type: keyword
process.elf.header.version: Version of the ELF header.

type: keyword
process.elf.imports: List of imported element names and types.

type: flattened
process.elf.sections: An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.sections.*.

type: nested
process.elf.sections.chi2: Chi-square probability distribution of the section.

type: long

format: number
process.elf.sections.entropy: Shannon entropy calculation from the section.

type: long

format: number
process.elf.sections.flags: ELF Section List flags.

type: keyword
process.elf.sections.name: ELF Section List name.

type: keyword
process.elf.sections.physical_offset: ELF Section List offset.

type: keyword
process.elf.sections.physical_size: ELF Section List physical size.

type: long

format: bytes
process.elf.sections.type: ELF Section List type.

type: keyword
process.elf.sections.virtual_address: ELF Section List virtual address.

type: long

format: string
process.elf.sections.virtual_size: ELF Section List virtual size.

type: long

format: string
process.elf.segments: An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.segments.*.

type: nested
process.elf.segments.sections: ELF object segment sections.

type: keyword
process.elf.segments.type: ELF object segment type.

type: keyword
process.elf.shared_libraries: List of shared libraries used by this ELF object.

type: keyword
process.elf.telfhash: telfhash symbol hash for ELF file.

type: keyword
process.end: The time the process ended.

type: date

example: 2016-05-23T08:05:34.853Z
process.entity_id: Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.

type: keyword

example: c2c455d9f99375d
process.executable: Absolute path to the process executable.

type: keyword

example: /usr/bin/ssh
process.executable.text: type: match_only_text
process.exit_code: The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).

type: long

example: 137
process.hash.md5: MD5 hash.

type: keyword
process.hash.sha1: SHA1 hash.

type: keyword
process.hash.sha256: SHA256 hash.

type: keyword
process.hash.sha512: SHA512 hash.

type: keyword
process.hash.ssdeep: SSDEEP hash.

type: keyword
process.name: Process name. Sometimes called program name or similar.

type: keyword

example: ssh
process.name.text: type: match_only_text
process.parent.args: Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.

type: keyword

example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
process.parent.args_count: Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.

type: long

example: 4
process.parent.code_signature.digest_algorithm: The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.

type: keyword

example: sha256
process.parent.code_signature.exists: Boolean to capture if a signature is present.

type: boolean

example: true
process.parent.code_signature.signing_id: The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.

type: keyword

example: com.apple.xpc.proxy
process.parent.code_signature.status: Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.

type: keyword

example: ERROR_UNTRUSTED_ROOT
process.parent.code_signature.subject_name: Subject name of the code signer

type: keyword

example: Microsoft Corporation
process.parent.code_signature.team_id: The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.

type: keyword

example: EQHXZ8M8AV
process.parent.code_signature.timestamp: Date and time when the code signature was generated and signed.

type: date

example: 2021-01-01T12:10:30Z
process.parent.code_signature.trusted: Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.

type: boolean

example: true
process.parent.code_signature.valid: Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.

type: boolean

example: true
process.parent.command_line: Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.

type: wildcard

example: /usr/bin/ssh -l user 10.0.0.16
process.parent.command_line.text: type: match_only_text
process.parent.elf.architecture: Machine architecture of the ELF file.

type: keyword

example: x86-64
process.parent.elf.byte_order: Byte sequence of ELF file.

type: keyword

example: Little Endian
process.parent.elf.cpu_type: CPU type of the ELF file.

type: keyword

example: Intel
process.parent.elf.creation_date: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.

type: date
process.parent.elf.exports: List of exported element names and types.

type: flattened
process.parent.elf.header.abi_version: Version of the ELF Application Binary Interface (ABI).

type: keyword
process.parent.elf.header.class: Header class of the ELF file.

type: keyword
process.parent.elf.header.data: Data table of the ELF header.

type: keyword
process.parent.elf.header.entrypoint: Header entrypoint of the ELF file.

type: long

format: string
process.parent.elf.header.object_version: "0x1" for original ELF files.

type: keyword
process.parent.elf.header.os_abi: Application Binary Interface (ABI) of the Linux OS.

type: keyword
process.parent.elf.header.type: Header type of the ELF file.

type: keyword
process.parent.elf.header.version: Version of the ELF header.

type: keyword
process.parent.elf.imports: List of imported element names and types.

type: flattened
process.parent.elf.sections: An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.sections.*.

type: nested
process.parent.elf.sections.chi2: Chi-square probability distribution of the section.

type: long

format: number
process.parent.elf.sections.entropy: Shannon entropy calculation from the section.

type: long

format: number
process.parent.elf.sections.flags: ELF Section List flags.

type: keyword
process.parent.elf.sections.name: ELF Section List name.

type: keyword
process.parent.elf.sections.physical_offset: ELF Section List offset.

type: keyword
process.parent.elf.sections.physical_size: ELF Section List physical size.

type: long

format: bytes
process.parent.elf.sections.type: ELF Section List type.

type: keyword
process.parent.elf.sections.virtual_address: ELF Section List virtual address.

type: long

format: string
process.parent.elf.sections.virtual_size: ELF Section List virtual size.

type: long

format: string
process.parent.elf.segments: An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.segments.*.

type: nested
process.parent.elf.segments.sections: ELF object segment sections.

type: keyword
process.parent.elf.segments.type: ELF object segment type.

type: keyword
process.parent.elf.shared_libraries: List of shared libraries used by this ELF object.

type: keyword
process.parent.elf.telfhash: telfhash symbol hash for ELF file.

type: keyword
process.parent.end: The time the process ended.

type: date

example: 2016-05-23T08:05:34.853Z
process.parent.entity_id: Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.

type: keyword

example: c2c455d9f99375d
process.parent.executable: Absolute path to the process executable.

type: keyword

example: /usr/bin/ssh
process.parent.executable.text: type: match_only_text
process.parent.exit_code: The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).

type: long

example: 137
process.parent.hash.md5: MD5 hash.

type: keyword
process.parent.hash.sha1: SHA1 hash.

type: keyword
process.parent.hash.sha256: SHA256 hash.

type: keyword
process.parent.hash.sha512: SHA512 hash.

type: keyword
process.parent.hash.ssdeep: SSDEEP hash.

type: keyword
process.parent.name: Process name. Sometimes called program name or similar.

type: keyword

example: ssh
process.parent.name.text: type: match_only_text
process.parent.pe.architecture: CPU architecture target for the file.

type: keyword

example: x64
process.parent.pe.company: Internal company name of the file, provided at compile-time.

type: keyword

example: Microsoft Corporation
process.parent.pe.description: Internal description of the file, provided at compile-time.

type: keyword

example: Paint
process.parent.pe.file_version: Internal version of the file, provided at compile-time.

type: keyword

example: 6.3.9600.17415
process.parent.pe.imphash: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.

type: keyword

example: 0c6803c4e922103c4dca5963aad36ddf
process.parent.pe.original_file_name: Internal name of the file, provided at compile-time.

type: keyword

example: MSPAINT.EXE
process.parent.pe.product: Internal product name of the file, provided at compile-time.

type: keyword

example: Microsoft® Windows® Operating System
process.parent.pgid: Identifier of the group of processes the process belongs to.

type: long

format: string
process.parent.pid: Process id.

type: long

example: 4242

format: string
process.parent.start: The time the process started.

type: date

example: 2016-05-23T08:05:34.853Z
process.parent.thread.id: Thread ID.

type: long

example: 4242

format: string
process.parent.thread.name: Thread name.

type: keyword

example: thread-0
process.parent.title: Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.

type: keyword
process.parent.title.text: type: match_only_text
process.parent.uptime: Seconds the process has been up.

type: long

example: 1325
process.parent.working_directory: The working directory of the process.

type: keyword

example: /home/alice
process.parent.working_directory.text: type: match_only_text
process.pe.architecture: CPU architecture target for the file.

type: keyword

example: x64
process.pe.company: Internal company name of the file, provided at compile-time.

type: keyword

example: Microsoft Corporation
process.pe.description: Internal description of the file, provided at compile-time.

type: keyword

example: Paint
process.pe.file_version: Internal version of the file, provided at compile-time.

type: keyword

example: 6.3.9600.17415
process.pe.imphash: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.

type: keyword

example: 0c6803c4e922103c4dca5963aad36ddf
process.pe.original_file_name: Internal name of the file, provided at compile-time.

type: keyword

example: MSPAINT.EXE
process.pe.product: Internal product name of the file, provided at compile-time.

type: keyword

example: Microsoft® Windows® Operating System
process.pgid: Identifier of the group of processes the process belongs to.

type: long

format: string
process.pid: Process id.

type: long

example: 4242

format: string
process.start: The time the process started.

type: date

example: 2016-05-23T08:05:34.853Z
process.thread.id: Thread ID.

type: long

example: 4242

format: string
process.thread.name: Thread name.

type: keyword

example: thread-0
process.title: Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.

type: keyword
process.title.text: type: match_only_text
process.uptime: Seconds the process has been up.

type: long

example: 1325
process.working_directory: The working directory of the process.

type: keyword

example: /home/alice
process.working_directory.text: type: match_only_text

registry

Fields related to Windows Registry operations.

registry.data.bytes: Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by lp_data. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.

type: keyword

example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
registry.data.strings: Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g "1").

type: wildcard

example: ["C:\rta\red_ttp\bin\myapp.exe"]
registry.data.type: Standard registry type for encoding contents

type: keyword

example: REG_SZ
registry.hive: Abbreviated name for the hive.

type: keyword

example: HKLM
registry.key: Hive-relative path of keys.

type: keyword

example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
registry.path: Full path, including hive, key and value

type: keyword

example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
registry.value: Name of the value written.

type: keyword

example: Debugger

This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in related.. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to related.ip, you can then search for a given IP trivially, no matter where it appeared, by querying related.ip:192.0.2.15.

related.hash: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search).

type: keyword
related.hosts: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.

type: keyword
related.ip: All of the IPs seen on your event.

type: ip
related.user: All the user names or other user identifiers seen on the event.

type: keyword

rule

Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.

rule.author: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.

type: keyword

example: ["Star-Lord"]
rule.category: A categorization value keyword used by the entity using the rule for detection of this event.

type: keyword

example: Attempted Information Leak
rule.description: The description of the rule generating the event.

type: keyword

example: Block requests to public DNS over HTTPS / TLS protocols
rule.id: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.

type: keyword

example: 101
rule.license: Name of the license under which the rule used to generate this event is made available.

type: keyword

example: Apache 2.0
rule.name: The name of the rule or signature generating the event.

type: keyword

example: BLOCK_DNS_over_TLS
rule.reference: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.

type: keyword

example: https://en.wikipedia.org/wiki/DNS_over_TLS
rule.ruleset: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.

type: keyword

example: Standard_Protocol_Filters
rule.uuid: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.

type: keyword

example: 1100110011
rule.version: The version / revision of the rule being used for analysis.

type: keyword

example: 1.1

server

A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.

server.address: Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword
server.as.number: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.

type: long

example: 15169
server.as.organization.name: Organization name.

type: keyword

example: Google LLC
server.as.organization.name.text: type: match_only_text
server.bytes: Bytes sent from the server to the client.

type: long

example: 184

format: bytes
server.domain: The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.

type: keyword

example: foo.example.com
server.geo.city_name: City name.

type: keyword

example: Montreal
server.geo.continent_code: Two-letter code representing continent’s name.

type: keyword

example: NA
server.geo.continent_name: Name of the continent.

type: keyword

example: North America
server.geo.country_iso_code: Country ISO code.

type: keyword

example: CA
server.geo.country_name: Country name.

type: keyword

example: Canada
server.geo.location: Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }
server.geo.name: User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc
server.geo.postal_code: Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.

type: keyword

example: 94040
server.geo.region_iso_code: Region ISO code.

type: keyword

example: CA-QC
server.geo.region_name: Region name.

type: keyword

example: Quebec
server.geo.timezone: The time zone of the location, such as IANA time zone name.

type: keyword

example: America/Argentina/Buenos_Aires
server.ip: IP address of the server (IPv4 or IPv6).

type: ip
server.mac: MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

type: keyword

example: 00-00-5E-00-53-23
server.nat.ip: Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.

type: ip
server.nat.port: Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.

type: long

format: string
server.packets: Packets sent from the server to the client.

type: long

example: 12
server.port: Port of the server.

type: long

format: string
server.registered_domain: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".

type: keyword

example: example.com
server.subdomain: The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.

type: keyword

example: east
server.top_level_domain: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".

type: keyword

example: co.uk
server.user.domain: Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
server.user.email: User email address.

type: keyword
server.user.full_name: User’s full name, if available.

type: keyword

example: Albert Einstein
server.user.full_name.text: type: match_only_text
server.user.group.domain: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
server.user.group.id: Unique identifier for the group on the system/platform.

type: keyword
server.user.group.name: Name of the group.

type: keyword
server.user.hash: Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword
server.user.id: Unique identifier of the user.

type: keyword

example: S-1-5-21-202424912787-2692429404-2351956786-1000
server.user.name: Short name or login of the user.

type: keyword

example: a.einstein
server.user.name.text: type: match_only_text
server.user.roles: Array of user roles at the time of the event.

type: keyword

example: ["kibana_admin", "reporting_user"]

service

The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.

service.address: Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).

type: keyword

example: 172.26.0.2:5432
service.environment: Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.

type: keyword

example: production
service.ephemeral_id: Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but service.id does not.

type: keyword

example: 8a4f500f
service.id: Unique identifier of the running service. If the service is comprised of many nodes, the service.id should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that host.name or host.id instead.

type: keyword

example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
service.name: Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the service.type field if no name is specified.

type: keyword

example: elasticsearch-metrics
service.node.name: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, service.node.name should typically be unique across nodes of a given service. In the case of Elasticsearch, the service.node.name could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.

type: keyword

example: instance-0000000016
service.origin.address: Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).

type: keyword

example: 172.26.0.2:5432
service.origin.environment: Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.

type: keyword

example: production
service.origin.ephemeral_id: Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but service.id does not.

type: keyword

example: 8a4f500f
service.origin.id: Unique identifier of the running service. If the service is comprised of many nodes, the service.id should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that host.name or host.id instead.

type: keyword

example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
service.origin.name: Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the service.type field if no name is specified.

type: keyword

example: elasticsearch-metrics
service.origin.node.name: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, service.node.name should typically be unique across nodes of a given service. In the case of Elasticsearch, the service.node.name could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.

type: keyword

example: instance-0000000016
service.origin.state: Current state of the service.

type: keyword
service.origin.type: The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch.

type: keyword

example: elasticsearch
service.origin.version: Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.

type: keyword

example: 3.2.4
service.state: Current state of the service.

type: keyword
service.target.address: Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).

type: keyword

example: 172.26.0.2:5432
service.target.environment: Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.

type: keyword

example: production
service.target.ephemeral_id: Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but service.id does not.

type: keyword

example: 8a4f500f
service.target.id: Unique identifier of the running service. If the service is comprised of many nodes, the service.id should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that host.name or host.id instead.

type: keyword

example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
service.target.name: Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the service.type field if no name is specified.

type: keyword

example: elasticsearch-metrics
service.target.node.name: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, service.node.name should typically be unique across nodes of a given service. In the case of Elasticsearch, the service.node.name could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.

type: keyword

example: instance-0000000016
service.target.state: Current state of the service.

type: keyword
service.target.type: The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch.

type: keyword

example: elasticsearch
service.target.version: Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.

type: keyword

example: 3.2.4
service.type: The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch.

type: keyword

example: elasticsearch
service.version: Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.

type: keyword

example: 3.2.4

source

Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.

source.address: Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword
source.as.number: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.

type: long

example: 15169
source.as.organization.name: Organization name.

type: keyword

example: Google LLC
source.as.organization.name.text: type: match_only_text
source.bytes: Bytes sent from the source to the destination.

type: long

example: 184

format: bytes
source.domain: The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.

type: keyword

example: foo.example.com
source.geo.city_name: City name.

type: keyword

example: Montreal
source.geo.continent_code: Two-letter code representing continent’s name.

type: keyword

example: NA
source.geo.continent_name: Name of the continent.

type: keyword

example: North America
source.geo.country_iso_code: Country ISO code.

type: keyword

example: CA
source.geo.country_name: Country name.

type: keyword

example: Canada
source.geo.location: Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }
source.geo.name: User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc
source.geo.postal_code: Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.

type: keyword

example: 94040
source.geo.region_iso_code: Region ISO code.

type: keyword

example: CA-QC
source.geo.region_name: Region name.

type: keyword

example: Quebec
source.geo.timezone: The time zone of the location, such as IANA time zone name.

type: keyword

example: America/Argentina/Buenos_Aires
source.ip: IP address of the source (IPv4 or IPv6).

type: ip
source.mac: MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

type: keyword

example: 00-00-5E-00-53-23
source.nat.ip: Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.

type: ip
source.nat.port: Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.

type: long

format: string
source.packets: Packets sent from the source to the destination.

type: long

example: 12
source.port: Port of the source.

type: long

format: string
source.registered_domain: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".

type: keyword

example: example.com
source.subdomain: The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.

type: keyword

example: east
source.top_level_domain: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".

type: keyword

example: co.uk
source.user.domain: Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
source.user.email: User email address.

type: keyword
source.user.full_name: User’s full name, if available.

type: keyword

example: Albert Einstein
source.user.full_name.text: type: match_only_text
source.user.group.domain: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
source.user.group.id: Unique identifier for the group on the system/platform.

type: keyword
source.user.group.name: Name of the group.

type: keyword
source.user.hash: Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword
source.user.id: Unique identifier of the user.

type: keyword

example: S-1-5-21-202424912787-2692429404-2351956786-1000
source.user.name: Short name or login of the user.

type: keyword

example: a.einstein
source.user.name.text: type: match_only_text
source.user.roles: Array of user roles at the time of the event.

type: keyword

example: ["kibana_admin", "reporting_user"]

threat

Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").

threat.enrichments

A list of associated indicators objects enriching the event, and the context of that association/enrichment.

type: nested

threat.enrichments.indicator

Object containing associated indicators enriching the event.

type: object

threat.enrichments.indicator.as.number

Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.

type: long

example: 15169

threat.enrichments.indicator.as.organization.name

Organization name.

type: keyword

example: Google LLC

threat.enrichments.indicator.as.organization.name.text

type: match_only_text

threat.enrichments.indicator.confidence

Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High

type: keyword

example: Medium

threat.enrichments.indicator.description

Describes the type of action conducted by the threat.

type: keyword

example: IP x.x.x.x was observed delivering the Angler EK.

threat.enrichments.indicator.email.address

Identifies a threat indicator as an email address (irrespective of direction).

type: keyword

example: phish@example.com

threat.enrichments.indicator.file.accessed

Last time the file was accessed. Note that not all filesystems keep track of access time.

type: date

threat.enrichments.indicator.file.attributes

Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.

type: keyword

example: ["readonly", "system"]

threat.enrichments.indicator.file.code_signature.digest_algorithm

The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.

type: keyword

example: sha256

threat.enrichments.indicator.file.code_signature.exists

Boolean to capture if a signature is present.

type: boolean

example: true

threat.enrichments.indicator.file.code_signature.signing_id

The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.

type: keyword

example: com.apple.xpc.proxy

threat.enrichments.indicator.file.code_signature.status

Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.

type: keyword

example: ERROR_UNTRUSTED_ROOT

threat.enrichments.indicator.file.code_signature.subject_name

Subject name of the code signer

type: keyword

example: Microsoft Corporation

threat.enrichments.indicator.file.code_signature.team_id

The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.

type: keyword

example: EQHXZ8M8AV

threat.enrichments.indicator.file.code_signature.timestamp

Date and time when the code signature was generated and signed.

type: date

example: 2021-01-01T12:10:30Z

threat.enrichments.indicator.file.code_signature.trusted

Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.

type: boolean

example: true

threat.enrichments.indicator.file.code_signature.valid

Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.

type: boolean

example: true

threat.enrichments.indicator.file.created

File creation time. Note that not all filesystems store the creation time.

type: date

threat.enrichments.indicator.file.ctime

Last time the file attributes or metadata changed. Note that changes to the file content will update mtime. This implies ctime will be adjusted at the same time, since mtime is an attribute of the file.

type: date

threat.enrichments.indicator.file.device

Device that is the source of the file.

type: keyword

example: sda

threat.enrichments.indicator.file.directory

Directory where the file is located. It should include the drive letter, when appropriate.

type: keyword

example: /home/alice

threat.enrichments.indicator.file.drive_letter

Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.

type: keyword

example: C

threat.enrichments.indicator.file.elf.architecture

Machine architecture of the ELF file.

type: keyword

example: x86-64

threat.enrichments.indicator.file.elf.byte_order

Byte sequence of ELF file.

type: keyword

example: Little Endian

threat.enrichments.indicator.file.elf.cpu_type

CPU type of the ELF file.

type: keyword

example: Intel

threat.enrichments.indicator.file.elf.creation_date

Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.

type: date

threat.enrichments.indicator.file.elf.exports

List of exported element names and types.

type: flattened

threat.enrichments.indicator.file.elf.header.abi_version

Version of the ELF Application Binary Interface (ABI).

type: keyword

threat.enrichments.indicator.file.elf.header.class

Header class of the ELF file.

type: keyword

threat.enrichments.indicator.file.elf.header.data

Data table of the ELF header.

type: keyword

threat.enrichments.indicator.file.elf.header.entrypoint

Header entrypoint of the ELF file.

type: long

format: string

threat.enrichments.indicator.file.elf.header.object_version

"0x1" for original ELF files.

type: keyword

threat.enrichments.indicator.file.elf.header.os_abi

Application Binary Interface (ABI) of the Linux OS.

type: keyword

threat.enrichments.indicator.file.elf.header.type

Header type of the ELF file.

type: keyword

threat.enrichments.indicator.file.elf.header.version

Version of the ELF header.

type: keyword

threat.enrichments.indicator.file.elf.imports

List of imported element names and types.

type: flattened

threat.enrichments.indicator.file.elf.sections

An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.sections.*.

type: nested

threat.enrichments.indicator.file.elf.sections.chi2

Chi-square probability distribution of the section.

type: long

format: number

threat.enrichments.indicator.file.elf.sections.entropy

Shannon entropy calculation from the section.

type: long

format: number

threat.enrichments.indicator.file.elf.sections.flags

ELF Section List flags.

type: keyword

threat.enrichments.indicator.file.elf.sections.name

ELF Section List name.

type: keyword

threat.enrichments.indicator.file.elf.sections.physical_offset

ELF Section List offset.

type: keyword

threat.enrichments.indicator.file.elf.sections.physical_size

ELF Section List physical size.

type: long

format: bytes

threat.enrichments.indicator.file.elf.sections.type

ELF Section List type.

type: keyword

threat.enrichments.indicator.file.elf.sections.virtual_address

ELF Section List virtual address.

type: long

format: string

threat.enrichments.indicator.file.elf.sections.virtual_size

ELF Section List virtual size.

type: long

format: string

threat.enrichments.indicator.file.elf.segments

An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.segments.*.

type: nested

threat.enrichments.indicator.file.elf.segments.sections

ELF object segment sections.

type: keyword

threat.enrichments.indicator.file.elf.segments.type

ELF object segment type.

type: keyword

threat.enrichments.indicator.file.elf.shared_libraries

List of shared libraries used by this ELF object.

type: keyword

threat.enrichments.indicator.file.elf.telfhash

telfhash symbol hash for ELF file.

type: keyword

threat.enrichments.indicator.file.extension

File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").

type: keyword

example: png

threat.enrichments.indicator.file.fork_name

A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: C:\path\to\filename.extension:some_fork_name, and some_fork_name is the value that should populate fork_name. filename.extension should populate file.name, and extension should populate file.extension. The full path, file.path, will include the fork name.

type: keyword

example: Zone.Identifer

threat.enrichments.indicator.file.gid

Primary group ID (GID) of the file.

type: keyword

example: 1001

threat.enrichments.indicator.file.group

Primary group name of the file.

type: keyword

example: alice

threat.enrichments.indicator.file.hash.md5

MD5 hash.

type: keyword

threat.enrichments.indicator.file.hash.sha1

SHA1 hash.

type: keyword

threat.enrichments.indicator.file.hash.sha256

SHA256 hash.

type: keyword

threat.enrichments.indicator.file.hash.sha512

SHA512 hash.

type: keyword

threat.enrichments.indicator.file.hash.ssdeep

SSDEEP hash.

type: keyword

threat.enrichments.indicator.file.inode

Inode representing the file in the filesystem.

type: keyword

example: 256383

threat.enrichments.indicator.file.mime_type

MIME type should identify the format of the file or stream of bytes using IANA official types, where possible. When more than one type is applicable, the most specific type should be used.

type: keyword

threat.enrichments.indicator.file.mode

Mode of the file in octal representation.

type: keyword

example: 0640

threat.enrichments.indicator.file.mtime

Last time the file content was modified.

type: date

threat.enrichments.indicator.file.name

Name of the file including the extension, without the directory.

type: keyword

example: example.png

threat.enrichments.indicator.file.owner

File owner’s username.

type: keyword

example: alice

threat.enrichments.indicator.file.path

Full path to the file, including the file name. It should include the drive letter, when appropriate.

type: keyword

example: /home/alice/example.png

threat.enrichments.indicator.file.path.text

type: match_only_text

threat.enrichments.indicator.file.pe.architecture

CPU architecture target for the file.

type: keyword

example: x64

threat.enrichments.indicator.file.pe.company

Internal company name of the file, provided at compile-time.

type: keyword

example: Microsoft Corporation

threat.enrichments.indicator.file.pe.description

Internal description of the file, provided at compile-time.

type: keyword

example: Paint

threat.enrichments.indicator.file.pe.file_version

Internal version of the file, provided at compile-time.

type: keyword

example: 6.3.9600.17415

threat.enrichments.indicator.file.pe.imphash

A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.

type: keyword

example: 0c6803c4e922103c4dca5963aad36ddf

threat.enrichments.indicator.file.pe.original_file_name

Internal name of the file, provided at compile-time.

type: keyword

example: MSPAINT.EXE

threat.enrichments.indicator.file.pe.product

Internal product name of the file, provided at compile-time.

type: keyword

example: Microsoft® Windows® Operating System

threat.enrichments.indicator.file.size

File size in bytes. Only relevant when file.type is "file".

type: long

example: 16384

threat.enrichments.indicator.file.target_path

Target path for symlinks.

type: keyword

threat.enrichments.indicator.file.target_path.text

type: match_only_text

threat.enrichments.indicator.file.type

File type (file, dir, or symlink).

type: keyword

example: file

threat.enrichments.indicator.file.uid

The user ID (UID) or security identifier (SID) of the file owner.

type: keyword

example: 1001

threat.enrichments.indicator.file.x509.alternative_names

List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.

type: keyword

example: *.elastic.co

threat.enrichments.indicator.file.x509.issuer.common_name

List of common name (CN) of issuing certificate authority.

type: keyword

example: Example SHA2 High Assurance Server CA

threat.enrichments.indicator.file.x509.issuer.country

type: keyword

example: US

threat.enrichments.indicator.file.x509.issuer.distinguished_name

Distinguished name (DN) of issuing certificate authority.

type: keyword

example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA

threat.enrichments.indicator.file.x509.issuer.locality

List of locality names (L)

type: keyword

example: Mountain View

threat.enrichments.indicator.file.x509.issuer.organization

List of organizations (O) of issuing certificate authority.

type: keyword

example: Example Inc

threat.enrichments.indicator.file.x509.issuer.organizational_unit

List of organizational units (OU) of issuing certificate authority.

type: keyword

example: www.example.com

threat.enrichments.indicator.file.x509.issuer.state_or_province

List of state or province names (ST, S, or P)

type: keyword

example: California

threat.enrichments.indicator.file.x509.not_after

Time at which the certificate is no longer considered valid.

type: date

example: 2020-07-16 03:15:39+00:00

threat.enrichments.indicator.file.x509.not_before

Time at which the certificate is first considered valid.

type: date

example: 2019-08-16 01:40:25+00:00

threat.enrichments.indicator.file.x509.public_key_algorithm

Algorithm used to generate the public key.

type: keyword

example: RSA

threat.enrichments.indicator.file.x509.public_key_curve

The curve used by the elliptic curve public key algorithm. This is algorithm specific.

type: keyword

example: nistp521

threat.enrichments.indicator.file.x509.public_key_exponent

Exponent used to derive the public key. This is algorithm specific.

type: long

example: 65537

Field is not indexed.

threat.enrichments.indicator.file.x509.public_key_size

The size of the public key space in bits.

type: long

example: 2048

threat.enrichments.indicator.file.x509.serial_number

Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.

type: keyword

example: 55FBB9C7DEBF09809D12CCAA

threat.enrichments.indicator.file.x509.signature_algorithm

Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.

type: keyword

example: SHA256-RSA

threat.enrichments.indicator.file.x509.subject.common_name

List of common names (CN) of subject.

type: keyword

example: shared.global.example.net

threat.enrichments.indicator.file.x509.subject.country

type: keyword

example: US

threat.enrichments.indicator.file.x509.subject.distinguished_name

Distinguished name (DN) of the certificate subject entity.

type: keyword

example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net

threat.enrichments.indicator.file.x509.subject.locality

List of locality names (L)

type: keyword

example: San Francisco

threat.enrichments.indicator.file.x509.subject.organization

List of organizations (O) of subject.

type: keyword

example: Example, Inc.

threat.enrichments.indicator.file.x509.subject.organizational_unit

List of organizational units (OU) of subject.

type: keyword

threat.enrichments.indicator.file.x509.subject.state_or_province

List of state or province names (ST, S, or P)

type: keyword

example: California

threat.enrichments.indicator.file.x509.version_number

Version of x509 format.

type: keyword

example: 3

threat.enrichments.indicator.first_seen

The date and time when intelligence source first reported sighting this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

threat.enrichments.indicator.geo.city_name

City name.

type: keyword

example: Montreal

threat.enrichments.indicator.geo.continent_code

Two-letter code representing continent’s name.

type: keyword

example: NA

threat.enrichments.indicator.geo.continent_name

Name of the continent.

type: keyword

example: North America

threat.enrichments.indicator.geo.country_iso_code

Country ISO code.

type: keyword

example: CA

threat.enrichments.indicator.geo.country_name

Country name.

type: keyword

example: Canada

threat.enrichments.indicator.geo.location

Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }

threat.enrichments.indicator.geo.name

User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc

threat.enrichments.indicator.geo.postal_code

Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.

type: keyword

example: 94040

threat.enrichments.indicator.geo.region_iso_code

Region ISO code.

type: keyword

example: CA-QC

threat.enrichments.indicator.geo.region_name

Region name.

type: keyword

example: Quebec

threat.enrichments.indicator.geo.timezone

The time zone of the location, such as IANA time zone name.

type: keyword

example: America/Argentina/Buenos_Aires

threat.enrichments.indicator.ip

Identifies a threat indicator as an IP address (irrespective of direction).

type: ip

example: 1.2.3.4

threat.enrichments.indicator.last_seen

The date and time when intelligence source last reported sighting this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

threat.enrichments.indicator.marking.tlp

Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED

type: keyword

example: White

threat.enrichments.indicator.modified_at

The date and time when intelligence source last modified information for this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

threat.enrichments.indicator.port

Identifies a threat indicator as a port number (irrespective of direction).

type: long

example: 443

threat.enrichments.indicator.provider

The name of the indicator’s provider.

type: keyword

example: lrz_urlhaus

threat.enrichments.indicator.reference

Reference URL linking to additional information about this indicator.

type: keyword

example: https://system.example.com/indicator/0001234

threat.enrichments.indicator.registry.data.bytes

Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by lp_data. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.

type: keyword

example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=

threat.enrichments.indicator.registry.data.strings

Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g "1").

type: wildcard

example: ["C:\rta\red_ttp\bin\myapp.exe"]

threat.enrichments.indicator.registry.data.type

Standard registry type for encoding contents

type: keyword

example: REG_SZ

threat.enrichments.indicator.registry.hive

Abbreviated name for the hive.

type: keyword

example: HKLM

threat.enrichments.indicator.registry.key

Hive-relative path of keys.

type: keyword

example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe

threat.enrichments.indicator.registry.path

Full path, including hive, key and value

type: keyword

example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger

threat.enrichments.indicator.registry.value

Name of the value written.

type: keyword

example: Debugger

threat.enrichments.indicator.scanner_stats

Count of AV/EDR vendors that successfully detected malicious file or URL.

type: long

example: 4

threat.enrichments.indicator.sightings

Number of times this indicator was observed conducting threat activity.

type: long

example: 20

threat.enrichments.indicator.type

Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate

type: keyword

example: ipv4-addr

threat.enrichments.indicator.url.domain

Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field. If the URL contains a literal IPv6 address enclosed by [ and ] (IETF RFC 2732), the [ and ] characters should also be captured in the domain field.

type: keyword

example: www.elastic.co

threat.enrichments.indicator.url.extension

The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").

type: keyword

example: png

threat.enrichments.indicator.url.fragment

Portion of the url after the , such as "top". The is not part of the fragment.

type: keyword

threat.enrichments.indicator.url.full

If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.

type: wildcard

example: https://www.elastic.co:443/search?q=elasticsearch#top

threat.enrichments.indicator.url.full.text

type: match_only_text

threat.enrichments.indicator.url.original

Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.

type: wildcard

example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch

threat.enrichments.indicator.url.original.text

type: match_only_text

threat.enrichments.indicator.url.password

Password of the request.

type: keyword

threat.enrichments.indicator.url.path

Path of the request, such as "/search".

type: wildcard

threat.enrichments.indicator.url.port

Port of the request, such as 443.

type: long

example: 443

format: string

threat.enrichments.indicator.url.query

The query field describes the query string of the request, such as "q=elasticsearch". The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.

type: keyword

threat.enrichments.indicator.url.registered_domain

The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".

type: keyword

example: example.com

threat.enrichments.indicator.url.scheme

Scheme of the request, such as "https". Note: The : is not part of the scheme.

type: keyword

example: https

threat.enrichments.indicator.url.subdomain

The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.

type: keyword

example: east

threat.enrichments.indicator.url.top_level_domain

The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".

type: keyword

example: co.uk

threat.enrichments.indicator.url.username

Username of the request.

type: keyword

threat.enrichments.indicator.x509.alternative_names

List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.

type: keyword

example: *.elastic.co

threat.enrichments.indicator.x509.issuer.common_name

List of common name (CN) of issuing certificate authority.

type: keyword

example: Example SHA2 High Assurance Server CA

threat.enrichments.indicator.x509.issuer.country

type: keyword

example: US

threat.enrichments.indicator.x509.issuer.distinguished_name

Distinguished name (DN) of issuing certificate authority.

type: keyword

example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA

threat.enrichments.indicator.x509.issuer.locality

List of locality names (L)

type: keyword

example: Mountain View

threat.enrichments.indicator.x509.issuer.organization

List of organizations (O) of issuing certificate authority.

type: keyword

example: Example Inc

threat.enrichments.indicator.x509.issuer.organizational_unit

List of organizational units (OU) of issuing certificate authority.

type: keyword

example: www.example.com

threat.enrichments.indicator.x509.issuer.state_or_province

List of state or province names (ST, S, or P)

type: keyword

example: California

threat.enrichments.indicator.x509.not_after

Time at which the certificate is no longer considered valid.

type: date

example: 2020-07-16 03:15:39+00:00

threat.enrichments.indicator.x509.not_before

Time at which the certificate is first considered valid.

type: date

example: 2019-08-16 01:40:25+00:00

threat.enrichments.indicator.x509.public_key_algorithm

Algorithm used to generate the public key.

type: keyword

example: RSA

threat.enrichments.indicator.x509.public_key_curve

The curve used by the elliptic curve public key algorithm. This is algorithm specific.

type: keyword

example: nistp521

threat.enrichments.indicator.x509.public_key_exponent

Exponent used to derive the public key. This is algorithm specific.

type: long

example: 65537

Field is not indexed.

threat.enrichments.indicator.x509.public_key_size

The size of the public key space in bits.

type: long

example: 2048

threat.enrichments.indicator.x509.serial_number

Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.

type: keyword

example: 55FBB9C7DEBF09809D12CCAA

threat.enrichments.indicator.x509.signature_algorithm

Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.

type: keyword

example: SHA256-RSA

threat.enrichments.indicator.x509.subject.common_name

List of common names (CN) of subject.

type: keyword

example: shared.global.example.net

threat.enrichments.indicator.x509.subject.country

type: keyword

example: US

threat.enrichments.indicator.x509.subject.distinguished_name

Distinguished name (DN) of the certificate subject entity.

type: keyword

example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net

threat.enrichments.indicator.x509.subject.locality

List of locality names (L)

type: keyword

example: San Francisco

threat.enrichments.indicator.x509.subject.organization

List of organizations (O) of subject.

type: keyword

example: Example, Inc.

threat.enrichments.indicator.x509.subject.organizational_unit

List of organizational units (OU) of subject.

type: keyword

threat.enrichments.indicator.x509.subject.state_or_province

List of state or province names (ST, S, or P)

type: keyword

example: California

threat.enrichments.indicator.x509.version_number

Version of x509 format.

type: keyword

example: 3

threat.enrichments.matched.atomic

Identifies the atomic indicator value that matched a local environment endpoint or network event.

type: keyword

example: bad-domain.com

threat.enrichments.matched.field

Identifies the field of the atomic indicator that matched a local environment endpoint or network event.

type: keyword

example: file.hash.sha256

threat.enrichments.matched.id

Identifies the _id of the indicator document enriching the event.

type: keyword

example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5

threat.enrichments.matched.index

Identifies the _index of the indicator document enriching the event.

type: keyword

example: filebeat-8.0.0-2021.05.23-000011

threat.enrichments.matched.type

Identifies the type of match that caused the event to be enriched with the given indicator

type: keyword

example: indicator_match_rule

threat.framework

Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.

type: keyword

example: MITRE ATT&CK

threat.group.alias

The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).

type: keyword

example: [ "Magecart Group 6" ]

threat.group.id

The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.

type: keyword

example: G0037

threat.group.name

The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.

type: keyword

example: FIN6

threat.group.reference

The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.

type: keyword

example: https://attack.mitre.org/groups/G0037/

threat.indicator.as.number

Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.

type: long

example: 15169

threat.indicator.as.organization.name

Organization name.

type: keyword

example: Google LLC

threat.indicator.as.organization.name.text

type: match_only_text

threat.indicator.confidence

type: keyword

example: Medium

threat.indicator.description

Describes the type of action conducted by the threat.

type: keyword

example: IP x.x.x.x was observed delivering the Angler EK.

threat.indicator.email.address

Identifies a threat indicator as an email address (irrespective of direction).

type: keyword

example: phish@example.com

threat.indicator.file.accessed

Last time the file was accessed. Note that not all filesystems keep track of access time.

type: date

threat.indicator.file.attributes

type: keyword

example: ["readonly", "system"]

threat.indicator.file.code_signature.digest_algorithm

The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.

type: keyword

example: sha256

threat.indicator.file.code_signature.exists

Boolean to capture if a signature is present.

type: boolean

example: true

threat.indicator.file.code_signature.signing_id

The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.

type: keyword

example: com.apple.xpc.proxy

threat.indicator.file.code_signature.status

type: keyword

example: ERROR_UNTRUSTED_ROOT

threat.indicator.file.code_signature.subject_name

Subject name of the code signer

type: keyword

example: Microsoft Corporation

threat.indicator.file.code_signature.team_id

The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.

type: keyword

example: EQHXZ8M8AV

threat.indicator.file.code_signature.timestamp

Date and time when the code signature was generated and signed.

type: date

example: 2021-01-01T12:10:30Z

threat.indicator.file.code_signature.trusted

Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.

type: boolean

example: true

threat.indicator.file.code_signature.valid

Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.

type: boolean

example: true

threat.indicator.file.created

File creation time. Note that not all filesystems store the creation time.

type: date

threat.indicator.file.ctime

type: date

threat.indicator.file.device

Device that is the source of the file.

type: keyword

example: sda

threat.indicator.file.directory

Directory where the file is located. It should include the drive letter, when appropriate.

type: keyword

example: /home/alice

threat.indicator.file.drive_letter

Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.

type: keyword

example: C

threat.indicator.file.elf.architecture

Machine architecture of the ELF file.

type: keyword

example: x86-64

threat.indicator.file.elf.byte_order

Byte sequence of ELF file.

type: keyword

example: Little Endian

threat.indicator.file.elf.cpu_type

CPU type of the ELF file.

type: keyword

example: Intel

threat.indicator.file.elf.creation_date

Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.

type: date

threat.indicator.file.elf.exports

List of exported element names and types.

type: flattened

threat.indicator.file.elf.header.abi_version

Version of the ELF Application Binary Interface (ABI).

type: keyword

threat.indicator.file.elf.header.class

Header class of the ELF file.

type: keyword

threat.indicator.file.elf.header.data

Data table of the ELF header.

type: keyword

threat.indicator.file.elf.header.entrypoint

Header entrypoint of the ELF file.

type: long

format: string

threat.indicator.file.elf.header.object_version

"0x1" for original ELF files.

type: keyword

threat.indicator.file.elf.header.os_abi

Application Binary Interface (ABI) of the Linux OS.

type: keyword

threat.indicator.file.elf.header.type

Header type of the ELF file.

type: keyword

threat.indicator.file.elf.header.version

Version of the ELF header.

type: keyword

threat.indicator.file.elf.imports

List of imported element names and types.

type: flattened

threat.indicator.file.elf.sections

An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.sections.*.

type: nested

threat.indicator.file.elf.sections.chi2

Chi-square probability distribution of the section.

type: long

format: number

threat.indicator.file.elf.sections.entropy

Shannon entropy calculation from the section.

type: long

format: number

threat.indicator.file.elf.sections.flags

ELF Section List flags.

type: keyword

threat.indicator.file.elf.sections.name

ELF Section List name.

type: keyword

threat.indicator.file.elf.sections.physical_offset

ELF Section List offset.

type: keyword

threat.indicator.file.elf.sections.physical_size

ELF Section List physical size.

type: long

format: bytes

threat.indicator.file.elf.sections.type

ELF Section List type.

type: keyword

threat.indicator.file.elf.sections.virtual_address

ELF Section List virtual address.

type: long

format: string

threat.indicator.file.elf.sections.virtual_size

ELF Section List virtual size.

type: long

format: string

threat.indicator.file.elf.segments

An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.segments.*.

type: nested

threat.indicator.file.elf.segments.sections

ELF object segment sections.

type: keyword

threat.indicator.file.elf.segments.type

ELF object segment type.

type: keyword

threat.indicator.file.elf.shared_libraries

List of shared libraries used by this ELF object.

type: keyword

threat.indicator.file.elf.telfhash

telfhash symbol hash for ELF file.

type: keyword

threat.indicator.file.extension

File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").

type: keyword

example: png

threat.indicator.file.fork_name

type: keyword

example: Zone.Identifer

threat.indicator.file.gid

Primary group ID (GID) of the file.

type: keyword

example: 1001

threat.indicator.file.group

Primary group name of the file.

type: keyword

example: alice

threat.indicator.file.hash.md5

MD5 hash.

type: keyword

threat.indicator.file.hash.sha1

SHA1 hash.

type: keyword

threat.indicator.file.hash.sha256

SHA256 hash.

type: keyword

threat.indicator.file.hash.sha512

SHA512 hash.

type: keyword

threat.indicator.file.hash.ssdeep

SSDEEP hash.

type: keyword

threat.indicator.file.inode

Inode representing the file in the filesystem.

type: keyword

example: 256383

threat.indicator.file.mime_type

MIME type should identify the format of the file or stream of bytes using IANA official types, where possible. When more than one type is applicable, the most specific type should be used.

type: keyword

threat.indicator.file.mode

Mode of the file in octal representation.

type: keyword

example: 0640

threat.indicator.file.mtime

Last time the file content was modified.

type: date

threat.indicator.file.name

Name of the file including the extension, without the directory.

type: keyword

example: example.png

threat.indicator.file.owner

File owner’s username.

type: keyword

example: alice

threat.indicator.file.path

Full path to the file, including the file name. It should include the drive letter, when appropriate.

type: keyword

example: /home/alice/example.png

threat.indicator.file.path.text

type: match_only_text

threat.indicator.file.pe.architecture

CPU architecture target for the file.

type: keyword

example: x64

threat.indicator.file.pe.company

Internal company name of the file, provided at compile-time.

type: keyword

example: Microsoft Corporation

threat.indicator.file.pe.description

Internal description of the file, provided at compile-time.

type: keyword

example: Paint

threat.indicator.file.pe.file_version

Internal version of the file, provided at compile-time.

type: keyword

example: 6.3.9600.17415

threat.indicator.file.pe.imphash

type: keyword

example: 0c6803c4e922103c4dca5963aad36ddf

threat.indicator.file.pe.original_file_name

Internal name of the file, provided at compile-time.

type: keyword

example: MSPAINT.EXE

threat.indicator.file.pe.product

Internal product name of the file, provided at compile-time.

type: keyword

example: Microsoft® Windows® Operating System

threat.indicator.file.size

File size in bytes. Only relevant when file.type is "file".

type: long

example: 16384

threat.indicator.file.target_path

Target path for symlinks.

type: keyword

threat.indicator.file.target_path.text

type: match_only_text

threat.indicator.file.type

File type (file, dir, or symlink).

type: keyword

example: file

threat.indicator.file.uid

The user ID (UID) or security identifier (SID) of the file owner.

type: keyword

example: 1001

threat.indicator.file.x509.alternative_names

List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.

type: keyword

example: *.elastic.co

threat.indicator.file.x509.issuer.common_name

List of common name (CN) of issuing certificate authority.

type: keyword

example: Example SHA2 High Assurance Server CA

threat.indicator.file.x509.issuer.country

type: keyword

example: US

threat.indicator.file.x509.issuer.distinguished_name

Distinguished name (DN) of issuing certificate authority.

type: keyword

example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA

threat.indicator.file.x509.issuer.locality

List of locality names (L)

type: keyword

example: Mountain View

threat.indicator.file.x509.issuer.organization

List of organizations (O) of issuing certificate authority.

type: keyword

example: Example Inc

threat.indicator.file.x509.issuer.organizational_unit

List of organizational units (OU) of issuing certificate authority.

type: keyword

example: www.example.com

threat.indicator.file.x509.issuer.state_or_province

List of state or province names (ST, S, or P)

type: keyword

example: California

threat.indicator.file.x509.not_after

Time at which the certificate is no longer considered valid.

type: date

example: 2020-07-16 03:15:39+00:00

threat.indicator.file.x509.not_before

Time at which the certificate is first considered valid.

type: date

example: 2019-08-16 01:40:25+00:00

threat.indicator.file.x509.public_key_algorithm

Algorithm used to generate the public key.

type: keyword

example: RSA

threat.indicator.file.x509.public_key_curve

The curve used by the elliptic curve public key algorithm. This is algorithm specific.

type: keyword

example: nistp521

threat.indicator.file.x509.public_key_exponent

Exponent used to derive the public key. This is algorithm specific.

type: long

example: 65537

Field is not indexed.

threat.indicator.file.x509.public_key_size

The size of the public key space in bits.

type: long

example: 2048

threat.indicator.file.x509.serial_number

Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.

type: keyword

example: 55FBB9C7DEBF09809D12CCAA

threat.indicator.file.x509.signature_algorithm

Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.

type: keyword

example: SHA256-RSA

threat.indicator.file.x509.subject.common_name

List of common names (CN) of subject.

type: keyword

example: shared.global.example.net

threat.indicator.file.x509.subject.country

type: keyword

example: US

threat.indicator.file.x509.subject.distinguished_name

Distinguished name (DN) of the certificate subject entity.

type: keyword

example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net

threat.indicator.file.x509.subject.locality

List of locality names (L)

type: keyword

example: San Francisco

threat.indicator.file.x509.subject.organization

List of organizations (O) of subject.

type: keyword

example: Example, Inc.

threat.indicator.file.x509.subject.organizational_unit

List of organizational units (OU) of subject.

type: keyword

threat.indicator.file.x509.subject.state_or_province

List of state or province names (ST, S, or P)

type: keyword

example: California

threat.indicator.file.x509.version_number

Version of x509 format.

type: keyword

example: 3

threat.indicator.first_seen

The date and time when intelligence source first reported sighting this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

threat.indicator.geo.city_name

City name.

type: keyword

example: Montreal

threat.indicator.geo.continent_code

Two-letter code representing continent’s name.

type: keyword

example: NA

threat.indicator.geo.continent_name

Name of the continent.

type: keyword

example: North America

threat.indicator.geo.country_iso_code

Country ISO code.

type: keyword

example: CA

threat.indicator.geo.country_name

Country name.

type: keyword

example: Canada

threat.indicator.geo.location

Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }

threat.indicator.geo.name

type: keyword

example: boston-dc

threat.indicator.geo.postal_code

Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.

type: keyword

example: 94040

threat.indicator.geo.region_iso_code

Region ISO code.

type: keyword

example: CA-QC

threat.indicator.geo.region_name

Region name.

type: keyword

example: Quebec

threat.indicator.geo.timezone

The time zone of the location, such as IANA time zone name.

type: keyword

example: America/Argentina/Buenos_Aires

threat.indicator.ip

Identifies a threat indicator as an IP address (irrespective of direction).

type: ip

example: 1.2.3.4

threat.indicator.last_seen

The date and time when intelligence source last reported sighting this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

threat.indicator.marking.tlp

Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED

type: keyword

example: WHITE

threat.indicator.modified_at

The date and time when intelligence source last modified information for this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

threat.indicator.port

Identifies a threat indicator as a port number (irrespective of direction).

type: long

example: 443

threat.indicator.provider

The name of the indicator’s provider.

type: keyword

example: lrz_urlhaus

threat.indicator.reference

Reference URL linking to additional information about this indicator.

type: keyword

example: https://system.example.com/indicator/0001234

threat.indicator.registry.data.bytes

type: keyword

example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=

threat.indicator.registry.data.strings

type: wildcard

example: ["C:\rta\red_ttp\bin\myapp.exe"]

threat.indicator.registry.data.type

Standard registry type for encoding contents

type: keyword

example: REG_SZ

threat.indicator.registry.hive

Abbreviated name for the hive.

type: keyword

example: HKLM

threat.indicator.registry.key

Hive-relative path of keys.

type: keyword

example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe

threat.indicator.registry.path

Full path, including hive, key and value

type: keyword

example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger

threat.indicator.registry.value

Name of the value written.

type: keyword

example: Debugger

threat.indicator.scanner_stats

Count of AV/EDR vendors that successfully detected malicious file or URL.

type: long

example: 4

threat.indicator.sightings

Number of times this indicator was observed conducting threat activity.

type: long

example: 20

threat.indicator.type

type: keyword

example: ipv4-addr

threat.indicator.url.domain

type: keyword

example: www.elastic.co

threat.indicator.url.extension

type: keyword

example: png

threat.indicator.url.fragment

Portion of the url after the , such as "top". The is not part of the fragment.

type: keyword

threat.indicator.url.full

If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.

type: wildcard

example: https://www.elastic.co:443/search?q=elasticsearch#top

threat.indicator.url.full.text

type: match_only_text

threat.indicator.url.original

type: wildcard

example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch

threat.indicator.url.original.text

type: match_only_text

threat.indicator.url.password

Password of the request.

type: keyword

threat.indicator.url.path

Path of the request, such as "/search".

type: wildcard

threat.indicator.url.port

Port of the request, such as 443.

type: long

example: 443

format: string

threat.indicator.url.query

type: keyword

threat.indicator.url.registered_domain

type: keyword

example: example.com

threat.indicator.url.scheme

Scheme of the request, such as "https". Note: The : is not part of the scheme.

type: keyword

example: https

threat.indicator.url.subdomain

type: keyword

example: east

threat.indicator.url.top_level_domain

type: keyword

example: co.uk

threat.indicator.url.username

Username of the request.

type: keyword

threat.indicator.x509.alternative_names

List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.

type: keyword

example: *.elastic.co

threat.indicator.x509.issuer.common_name

List of common name (CN) of issuing certificate authority.

type: keyword

example: Example SHA2 High Assurance Server CA

threat.indicator.x509.issuer.country

type: keyword

example: US

threat.indicator.x509.issuer.distinguished_name

Distinguished name (DN) of issuing certificate authority.

type: keyword

example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA

threat.indicator.x509.issuer.locality

List of locality names (L)

type: keyword

example: Mountain View

threat.indicator.x509.issuer.organization

List of organizations (O) of issuing certificate authority.

type: keyword

example: Example Inc

threat.indicator.x509.issuer.organizational_unit

List of organizational units (OU) of issuing certificate authority.

type: keyword

example: www.example.com

threat.indicator.x509.issuer.state_or_province

List of state or province names (ST, S, or P)

type: keyword

example: California

threat.indicator.x509.not_after

Time at which the certificate is no longer considered valid.

type: date

example: 2020-07-16 03:15:39+00:00

threat.indicator.x509.not_before

Time at which the certificate is first considered valid.

type: date

example: 2019-08-16 01:40:25+00:00

threat.indicator.x509.public_key_algorithm

Algorithm used to generate the public key.

type: keyword

example: RSA

threat.indicator.x509.public_key_curve

The curve used by the elliptic curve public key algorithm. This is algorithm specific.

type: keyword

example: nistp521

threat.indicator.x509.public_key_exponent

Exponent used to derive the public key. This is algorithm specific.

type: long

example: 65537

Field is not indexed.

threat.indicator.x509.public_key_size

The size of the public key space in bits.

type: long

example: 2048

threat.indicator.x509.serial_number

Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.

type: keyword

example: 55FBB9C7DEBF09809D12CCAA

threat.indicator.x509.signature_algorithm

Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.

type: keyword

example: SHA256-RSA

threat.indicator.x509.subject.common_name

List of common names (CN) of subject.

type: keyword

example: shared.global.example.net

threat.indicator.x509.subject.country

type: keyword

example: US

threat.indicator.x509.subject.distinguished_name

Distinguished name (DN) of the certificate subject entity.

type: keyword

example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net

threat.indicator.x509.subject.locality

List of locality names (L)

type: keyword

example: San Francisco

threat.indicator.x509.subject.organization

List of organizations (O) of subject.

type: keyword

example: Example, Inc.

threat.indicator.x509.subject.organizational_unit

List of organizational units (OU) of subject.

type: keyword

threat.indicator.x509.subject.state_or_province

List of state or province names (ST, S, or P)

type: keyword

example: California

threat.indicator.x509.version_number

Version of x509 format.

type: keyword

example: 3

threat.software.alias

The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description.

type: keyword

example: [ "X-Agent" ]

threat.software.id

The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.

type: keyword

example: S0552

threat.software.name

The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.

type: keyword

example: AdFind

threat.software.platforms

The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows

While not required, you can use a MITRE ATT&CK® software platforms.

type: keyword

example: [ "Windows" ]

threat.software.reference

The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.

type: keyword

example: https://attack.mitre.org/software/S0552/

threat.software.type

The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool

While not required, you can use a MITRE ATT&CK® software type.

type: keyword

example: Tool

threat.tactic.id

The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )

type: keyword

example: TA0002

threat.tactic.name

Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)

type: keyword

example: Execution

threat.tactic.reference

The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )

type: keyword

example: https://attack.mitre.org/tactics/TA0002/

threat.technique.id

The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

example: T1059

threat.technique.name

The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

example: Command and Scripting Interpreter

threat.technique.name.text

type: match_only_text

threat.technique.reference

The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

example: https://attack.mitre.org/techniques/T1059/

threat.technique.subtechnique.id

The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword

example: T1059.001

threat.technique.subtechnique.name

The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword

example: PowerShell

threat.technique.subtechnique.name.text

type: match_only_text

threat.technique.subtechnique.reference

The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword

example: https://attack.mitre.org/techniques/T1059/001/

tls

Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.

tls.cipher: String indicating the cipher used during the current connection.

type: keyword

example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
tls.client.certificate: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of client.certificate_chain since this value also exists in that list.

type: keyword

example: MII…
tls.client.certificate_chain: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of client.certificate since that value should be the first certificate in the chain.

type: keyword

example: ["MII…", "MII…"]
tls.client.hash.md5: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.

type: keyword

example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
tls.client.hash.sha1: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.

type: keyword

example: 9E393D93138888D288266C2D915214D1D1CCEB2A
tls.client.hash.sha256: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.

type: keyword

example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
tls.client.issuer: Distinguished name of subject of the issuer of the x.509 certificate presented by the client.

type: keyword

example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
tls.client.ja3: A hash that identifies clients based on how they perform an SSL/TLS handshake.

type: keyword

example: d4e5b18d6b55c71272893221c96ba240
tls.client.not_after: Date/Time indicating when client certificate is no longer considered valid.

type: date

example: 2021-01-01T00:00:00.000Z
tls.client.not_before: Date/Time indicating when client certificate is first considered valid.

type: date

example: 1970-01-01T00:00:00.000Z
tls.client.server_name: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to destination.domain.

type: keyword

example: www.elastic.co
tls.client.subject: Distinguished name of subject of the x.509 certificate presented by the client.

type: keyword

example: CN=myclient, OU=Documentation Team, DC=example, DC=com
tls.client.supported_ciphers: Array of ciphers offered by the client during the client hello.

type: keyword

example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "…"]
tls.client.x509.alternative_names: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.

type: keyword

example: *.elastic.co
tls.client.x509.issuer.common_name: List of common name (CN) of issuing certificate authority.

type: keyword

example: Example SHA2 High Assurance Server CA
tls.client.x509.issuer.distinguished_name: Distinguished name (DN) of issuing certificate authority.

type: keyword

example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
tls.client.x509.issuer.locality: List of locality names (L)

type: keyword

example: Mountain View
tls.client.x509.issuer.organization: List of organizations (O) of issuing certificate authority.

type: keyword

example: Example Inc
tls.client.x509.issuer.organizational_unit: List of organizational units (OU) of issuing certificate authority.

type: keyword

example: www.example.com
tls.client.x509.issuer.state_or_province: List of state or province names (ST, S, or P)

type: keyword

example: California
tls.client.x509.not_after: Time at which the certificate is no longer considered valid.

type: date

example: 2020-07-16 03:15:39+00:00
tls.client.x509.not_before: Time at which the certificate is first considered valid.

type: date

example: 2019-08-16 01:40:25+00:00
tls.client.x509.public_key_algorithm: Algorithm used to generate the public key.

type: keyword

example: RSA
tls.client.x509.public_key_curve: The curve used by the elliptic curve public key algorithm. This is algorithm specific.

type: keyword

example: nistp521
tls.client.x509.public_key_exponent: Exponent used to derive the public key. This is algorithm specific.

type: long

example: 65537

Field is not indexed.
tls.client.x509.public_key_size: The size of the public key space in bits.

type: long

example: 2048
tls.client.x509.serial_number: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.

type: keyword

example: 55FBB9C7DEBF09809D12CCAA
tls.client.x509.signature_algorithm: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.

type: keyword

example: SHA256-RSA
tls.client.x509.subject.common_name: List of common names (CN) of subject.

type: keyword

example: shared.global.example.net
tls.client.x509.subject.distinguished_name: Distinguished name (DN) of the certificate subject entity.

type: keyword

example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
tls.client.x509.subject.locality: List of locality names (L)

type: keyword

example: San Francisco
tls.client.x509.subject.organization: List of organizations (O) of subject.

type: keyword

example: Example, Inc.
tls.client.x509.subject.organizational_unit: List of organizational units (OU) of subject.

type: keyword
tls.client.x509.subject.state_or_province: List of state or province names (ST, S, or P)

type: keyword

example: California
tls.client.x509.version_number: Version of x509 format.

type: keyword

example: 3
tls.curve: String indicating the curve used for the given cipher, when applicable.

type: keyword

example: secp256r1
tls.established: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.

type: boolean
tls.next_protocol: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case.

type: keyword

example: http/1.1
tls.resumed: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.

type: boolean
tls.server.certificate: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of server.certificate_chain since this value also exists in that list.

type: keyword

example: MII…
tls.server.certificate_chain: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of server.certificate since that value should be the first certificate in the chain.

type: keyword

example: ["MII…", "MII…"]
tls.server.hash.md5: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.

type: keyword

example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
tls.server.hash.sha1: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.

type: keyword

example: 9E393D93138888D288266C2D915214D1D1CCEB2A
tls.server.hash.sha256: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.

type: keyword

example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
tls.server.issuer: Subject of the issuer of the x.509 certificate presented by the server.

type: keyword

example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
tls.server.ja3s: A hash that identifies servers based on how they perform an SSL/TLS handshake.

type: keyword

example: 394441ab65754e2207b1e1b457b3641d
tls.server.not_after: Timestamp indicating when server certificate is no longer considered valid.

type: date

example: 2021-01-01T00:00:00.000Z
tls.server.not_before: Timestamp indicating when server certificate is first considered valid.

type: date

example: 1970-01-01T00:00:00.000Z
tls.server.subject: Subject of the x.509 certificate presented by the server.

type: keyword

example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
tls.server.x509.alternative_names: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.

type: keyword

example: *.elastic.co
tls.server.x509.issuer.common_name: List of common name (CN) of issuing certificate authority.

type: keyword

example: Example SHA2 High Assurance Server CA
tls.server.x509.issuer.distinguished_name: Distinguished name (DN) of issuing certificate authority.

type: keyword

example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
tls.server.x509.issuer.locality: List of locality names (L)

type: keyword

example: Mountain View
tls.server.x509.issuer.organization: List of organizations (O) of issuing certificate authority.

type: keyword

example: Example Inc
tls.server.x509.issuer.organizational_unit: List of organizational units (OU) of issuing certificate authority.

type: keyword

example: www.example.com
tls.server.x509.issuer.state_or_province: List of state or province names (ST, S, or P)

type: keyword

example: California
tls.server.x509.not_after: Time at which the certificate is no longer considered valid.

type: date

example: 2020-07-16 03:15:39+00:00
tls.server.x509.not_before: Time at which the certificate is first considered valid.

type: date

example: 2019-08-16 01:40:25+00:00
tls.server.x509.public_key_algorithm: Algorithm used to generate the public key.

type: keyword

example: RSA
tls.server.x509.public_key_curve: The curve used by the elliptic curve public key algorithm. This is algorithm specific.

type: keyword

example: nistp521
tls.server.x509.public_key_exponent: Exponent used to derive the public key. This is algorithm specific.

type: long

example: 65537

Field is not indexed.
tls.server.x509.public_key_size: The size of the public key space in bits.

type: long

example: 2048
tls.server.x509.serial_number: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.

type: keyword

example: 55FBB9C7DEBF09809D12CCAA
tls.server.x509.signature_algorithm: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.

type: keyword

example: SHA256-RSA
tls.server.x509.subject.common_name: List of common names (CN) of subject.

type: keyword

example: shared.global.example.net
tls.server.x509.subject.distinguished_name: Distinguished name (DN) of the certificate subject entity.

type: keyword

example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
tls.server.x509.subject.locality: List of locality names (L)

type: keyword

example: San Francisco
tls.server.x509.subject.organization: List of organizations (O) of subject.

type: keyword

example: Example, Inc.
tls.server.x509.subject.organizational_unit: List of organizational units (OU) of subject.

type: keyword
tls.server.x509.subject.state_or_province: List of state or province names (ST, S, or P)

type: keyword

example: California
tls.server.x509.version_number: Version of x509 format.

type: keyword

example: 3
tls.version: Numeric part of the version parsed from the original string.

type: keyword

example: 1.2
tls.version_protocol: Normalized lowercase protocol name parsed from original string.

type: keyword

example: tls
span.id: Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query.

type: keyword

example: 3ff9a8981b7ccd5a
trace.id: Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.

type: keyword

example: 4bf92f3577b34da6a3ce929d0e0e4736
transaction.id: Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.

type: keyword

example: 00f067aa0ba902b7

url

URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.

url.domain: Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field. If the URL contains a literal IPv6 address enclosed by [ and ] (IETF RFC 2732), the [ and ] characters should also be captured in the domain field.

type: keyword

example: www.elastic.co
url.extension: The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").

type: keyword

example: png
url.fragment: Portion of the url after the , such as "top". The is not part of the fragment.

type: keyword
url.full: If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.

type: wildcard

example: https://www.elastic.co:443/search?q=elasticsearch#top
url.full.text: type: match_only_text
url.original: Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.

type: wildcard

example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
url.original.text: type: match_only_text
url.password: Password of the request.

type: keyword
url.path: Path of the request, such as "/search".

type: wildcard
url.port: Port of the request, such as 443.

type: long

example: 443

format: string
url.query: The query field describes the query string of the request, such as "q=elasticsearch". The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.

type: keyword
url.registered_domain: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".

type: keyword

example: example.com
url.scheme: Scheme of the request, such as "https". Note: The : is not part of the scheme.

type: keyword

example: https
url.subdomain: The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.

type: keyword

example: east
url.top_level_domain: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".

type: keyword

example: co.uk
url.username: Username of the request.

type: keyword

user

The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

user.changes.domain: Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
user.changes.email: User email address.

type: keyword
user.changes.full_name: User’s full name, if available.

type: keyword

example: Albert Einstein
user.changes.full_name.text: type: match_only_text
user.changes.group.domain: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
user.changes.group.id: Unique identifier for the group on the system/platform.

type: keyword
user.changes.group.name: Name of the group.

type: keyword
user.changes.hash: Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword
user.changes.id: Unique identifier of the user.

type: keyword

example: S-1-5-21-202424912787-2692429404-2351956786-1000
user.changes.name: Short name or login of the user.

type: keyword

example: a.einstein
user.changes.name.text: type: match_only_text
user.changes.roles: Array of user roles at the time of the event.

type: keyword

example: ["kibana_admin", "reporting_user"]
user.domain: Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
user.effective.domain: Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
user.effective.email: User email address.

type: keyword
user.effective.full_name: User’s full name, if available.

type: keyword

example: Albert Einstein
user.effective.full_name.text: type: match_only_text
user.effective.group.domain: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
user.effective.group.id: Unique identifier for the group on the system/platform.

type: keyword
user.effective.group.name: Name of the group.

type: keyword
user.effective.hash: Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword
user.effective.id: Unique identifier of the user.

type: keyword

example: S-1-5-21-202424912787-2692429404-2351956786-1000
user.effective.name: Short name or login of the user.

type: keyword

example: a.einstein
user.effective.name.text: type: match_only_text
user.effective.roles: Array of user roles at the time of the event.

type: keyword

example: ["kibana_admin", "reporting_user"]
user.email: User email address.

type: keyword
user.full_name: User’s full name, if available.

type: keyword

example: Albert Einstein
user.full_name.text: type: match_only_text
user.group.domain: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
user.group.id: Unique identifier for the group on the system/platform.

type: keyword
user.group.name: Name of the group.

type: keyword
user.hash: Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword
user.id: Unique identifier of the user.

type: keyword

example: S-1-5-21-202424912787-2692429404-2351956786-1000
user.name: Short name or login of the user.

type: keyword

example: a.einstein
user.name.text: type: match_only_text
user.roles: Array of user roles at the time of the event.

type: keyword

example: ["kibana_admin", "reporting_user"]
user.target.domain: Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
user.target.email: User email address.

type: keyword
user.target.full_name: User’s full name, if available.

type: keyword

example: Albert Einstein
user.target.full_name.text: type: match_only_text
user.target.group.domain: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.

type: keyword
user.target.group.id: Unique identifier for the group on the system/platform.

type: keyword
user.target.group.name: Name of the group.

type: keyword
user.target.hash: Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword
user.target.id: Unique identifier of the user.

type: keyword

example: S-1-5-21-202424912787-2692429404-2351956786-1000
user.target.name: Short name or login of the user.

type: keyword

example: a.einstein
user.target.name.text: type: match_only_text
user.target.roles: Array of user roles at the time of the event.

type: keyword

example: ["kibana_admin", "reporting_user"]

user_agent

The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.

user_agent.device.name: Name of the device.

type: keyword

example: iPhone
user_agent.name: Name of the user agent.

type: keyword

example: Safari
user_agent.original: Unparsed user_agent string.

type: keyword

example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
user_agent.original.text: type: match_only_text
user_agent.os.family: OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian
user_agent.os.full: Operating system name, including the version or code name.

type: keyword

example: Mac OS Mojave
user_agent.os.full.text: type: match_only_text
user_agent.os.kernel: Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic
user_agent.os.name: Operating system name, without the version.

type: keyword

example: Mac OS X
user_agent.os.name.text: type: match_only_text
user_agent.os.platform: Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin
user_agent.os.type: Use the os.type field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.

type: keyword

example: macos
user_agent.os.version: Operating system version as a raw string.

type: keyword

example: 10.14.1
user_agent.version: Version of the user agent.

type: keyword

example: 12.0

vlan

The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.

vlan.id: VLAN ID as reported by the observer.

type: keyword

example: 10
vlan.name: Optional VLAN name as reported by the observer.

type: keyword

example: outside

vulnerability

The vulnerability fields describe information about a vulnerability that is relevant to an event.

vulnerability.category: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (Qualys vulnerability categories) This field must be an array.

type: keyword

example: ["Firewall"]
vulnerability.classification: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)

type: keyword

example: CVSS
vulnerability.description: The description of the vulnerability that provides additional context of the vulnerability. For example (Common Vulnerabilities and Exposure CVE description)

type: keyword

example: In macOS before 2.12.6, there is a vulnerability in the RPC…
vulnerability.description.text: type: match_only_text
vulnerability.enumeration: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)

type: keyword

example: CVE
vulnerability.id: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (Common Vulnerabilities and Exposure CVE ID

type: keyword

example: CVE-2019-00001
vulnerability.reference: A resource that provides additional information, context, and mitigations for the identified vulnerability.

type: keyword

example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
vulnerability.report_id: The report or scan identification number.

type: keyword

example: 20191018.0001
vulnerability.scanner.vendor: The name of the vulnerability scanner vendor.

type: keyword

example: Tenable
vulnerability.score.base: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)

type: float

example: 5.5
vulnerability.score.environmental: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)

type: float

example: 5.5
vulnerability.score.temporal: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document)

type: float
vulnerability.score.version: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)

type: keyword

example: 2.0
vulnerability.severity: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)

type: keyword

example: Critical

x509

This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at file.x509. When hashes of the DER-encoded certificate are available, the hash data set should be populated as well (e.g. file.hash.sha256). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: tls.server.x509 and/or tls.client.x509.

x509.alternative_names: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.

type: keyword

example: *.elastic.co
x509.issuer.common_name: List of common name (CN) of issuing certificate authority.

type: keyword

example: Example SHA2 High Assurance Server CA
x509.issuer.distinguished_name: Distinguished name (DN) of issuing certificate authority.

type: keyword

example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
x509.issuer.locality: List of locality names (L)

type: keyword

example: Mountain View
x509.issuer.organization: List of organizations (O) of issuing certificate authority.

type: keyword

example: Example Inc
x509.issuer.organizational_unit: List of organizational units (OU) of issuing certificate authority.

type: keyword

example: www.example.com
x509.issuer.state_or_province: List of state or province names (ST, S, or P)

type: keyword

example: California
x509.not_after: Time at which the certificate is no longer considered valid.

type: date

example: 2020-07-16 03:15:39+00:00
x509.not_before: Time at which the certificate is first considered valid.

type: date

example: 2019-08-16 01:40:25+00:00
x509.public_key_algorithm: Algorithm used to generate the public key.

type: keyword

example: RSA
x509.public_key_curve: The curve used by the elliptic curve public key algorithm. This is algorithm specific.

type: keyword

example: nistp521
x509.public_key_exponent: Exponent used to derive the public key. This is algorithm specific.

type: long

example: 65537

Field is not indexed.
x509.public_key_size: The size of the public key space in bits.

type: long

example: 2048
x509.serial_number: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.

type: keyword

example: 55FBB9C7DEBF09809D12CCAA
x509.signature_algorithm: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.

type: keyword

example: SHA256-RSA
x509.subject.common_name: List of common names (CN) of subject.

type: keyword

example: shared.global.example.net
x509.subject.distinguished_name: Distinguished name (DN) of the certificate subject entity.

type: keyword

example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
x509.subject.locality: List of locality names (L)

type: keyword

example: San Francisco
x509.subject.organization: List of organizations (O) of subject.

type: keyword

example: Example, Inc.
x509.subject.organizational_unit: List of organizational units (OU) of subject.

type: keyword
x509.subject.state_or_province: List of state or province names (ST, S, or P)

type: keyword

example: California
x509.version_number: Version of x509 format.

type: keyword

example: 3

Elasticsearch fields

elasticsearch Module

elasticsearch

elasticsearch.component: Elasticsearch component from where the log event originated

type: keyword

example: o.e.c.m.MetaDataCreateIndexService
elasticsearch.cluster.uuid: UUID of the cluster

type: keyword

example: GmvrbHlNTiSVYiPf8kxg9g
elasticsearch.cluster.name: Name of the cluster

type: keyword

example: docker-cluster
elasticsearch.node.id: ID of the node

type: keyword

example: DSiWcTyeThWtUXLB9J0BMw
elasticsearch.node.name: Name of the node

type: keyword

example: vWNJsZ3
elasticsearch.index.name: Index name

type: keyword

example: filebeat-test-input
elasticsearch.index.id: Index id

type: keyword

example: aOGgDwbURfCV57AScqbCgw
elasticsearch.shard.id: Id of the shard

type: keyword

example: 0
elasticsearch.elastic_product_origin: Used by Elastic stack to identify which component of the stack sent the request

type: keyword

example: kibana
elasticsearch.http.request.x_opaque_id: Used by Elasticsearch to throttle and deduplicate deprecation warnings

type: keyword

example: v7app
elasticsearch.event.category: Category of the deprecation event

type: keyword

example: compatible_api
elasticsearch.audit.layer: The layer from which this event originated: rest, transport or ip_filter

type: keyword

example: rest
elasticsearch.audit.event_type: The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied

type: keyword

example: access_granted
elasticsearch.audit.origin.type: Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)

type: keyword

example: local_node
elasticsearch.audit.realm: The authentication realm the authentication was validated against

type: keyword
elasticsearch.audit.user.realm: The user’s authentication realm, if authenticated

type: keyword
elasticsearch.audit.user.roles: Roles to which the principal belongs

type: keyword

example: ['kibana_admin', 'beats_admin']
elasticsearch.audit.user.run_as.name: type: keyword
elasticsearch.audit.user.run_as.realm: type: keyword
elasticsearch.audit.component: type: keyword
elasticsearch.audit.action: The name of the action that was executed

type: keyword

example: cluster:monitor/main
elasticsearch.audit.url.params: REST URI parameters

example: {username=jacknich2}
elasticsearch.audit.indices: Indices accessed by action

type: keyword

example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06']
elasticsearch.audit.request.id: Unique ID of request

type: keyword

example: WzL_kb6VSvOhAq0twPvHOQ
elasticsearch.audit.request.name: The type of request that was executed

type: keyword

example: ClearScrollRequest
elasticsearch.audit.request_body: type: alias

alias to: http.request.body.content
elasticsearch.audit.origin_address: type: alias

alias to: source.ip
elasticsearch.audit.uri: type: alias

alias to: url.original
elasticsearch.audit.principal: type: alias

alias to: user.name
elasticsearch.audit.message: type: text
elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user: type: boolean
elasticsearch.audit.authentication.type: type: keyword
elasticsearch.audit.opaque_id: type: text

deprecation

gc

GC fileset fields.

phase

Fields specific to GC phase.

elasticsearch.gc.phase.name: Name of the GC collection phase.

type: keyword
elasticsearch.gc.phase.duration_sec: Collection phase duration according to the Java virtual machine.

type: float
elasticsearch.gc.phase.scrub_symbol_table_time_sec: Pause time in seconds cleaning up symbol tables.

type: float
elasticsearch.gc.phase.scrub_string_table_time_sec: Pause time in seconds cleaning up string tables.

type: float
elasticsearch.gc.phase.weak_refs_processing_time_sec: Time spent processing weak references in seconds.

type: float
elasticsearch.gc.phase.parallel_rescan_time_sec: Time spent in seconds marking live objects while application is stopped.

type: float
elasticsearch.gc.phase.class_unload_time_sec: Time spent unloading unused classes in seconds.

type: float

cpu_time

Process CPU time spent performing collections.

elasticsearch.gc.phase.cpu_time.user_sec: CPU time spent outside the kernel.

type: float
elasticsearch.gc.phase.cpu_time.sys_sec: CPU time spent inside the kernel.

type: float
elasticsearch.gc.phase.cpu_time.real_sec: Total elapsed CPU time spent to complete the collection from start to finish.

type: float
elasticsearch.gc.jvm_runtime_sec: The time from JVM start up in seconds, as a floating point number.

type: float
elasticsearch.gc.threads_total_stop_time_sec: Garbage collection threads total stop time seconds.

type: float
elasticsearch.gc.stopping_threads_time_sec: Time took to stop threads seconds.

type: float
elasticsearch.gc.tags: GC logging tags.

type: keyword

heap

Heap allocation and total size.

elasticsearch.gc.heap.size_kb: Total heap size in kilobytes.

type: integer
elasticsearch.gc.heap.used_kb: Used heap in kilobytes.

type: integer

old_gen

Old generation occupancy and total size.

elasticsearch.gc.old_gen.size_kb: Total size of old generation in kilobytes.

type: integer
elasticsearch.gc.old_gen.used_kb: Old generation occupancy in kilobytes.

type: integer

young_gen

Young generation occupancy and total size.

elasticsearch.gc.young_gen.size_kb: Total size of young generation in kilobytes.

type: integer
elasticsearch.gc.young_gen.used_kb: Young generation occupancy in kilobytes.

type: integer

server

Server log file

elasticsearch.server.stacktrace: Field is not indexed.

gc

GC log

young

Young GC

elasticsearch.server.gc.young.one: type: long

example:
elasticsearch.server.gc.young.two: type: long

example:
elasticsearch.server.gc.overhead_seq: Sequence number

type: long

example: 3449992
elasticsearch.server.gc.collection_duration.ms: Time spent in GC, in milliseconds

type: float

example: 1600
elasticsearch.server.gc.observation_duration.ms: Total time over which collection was observed, in milliseconds

type: float

example: 1800

slowlog

Slowlog events from Elasticsearch

elasticsearch.slowlog.logger: Logger name

type: keyword

example: index.search.slowlog.fetch
elasticsearch.slowlog.took: Time it took to execute the query

type: keyword

example: 300ms
elasticsearch.slowlog.types: Types

type: keyword

example:
elasticsearch.slowlog.stats: Stats groups

type: keyword

example: group1
elasticsearch.slowlog.search_type: Search type

type: keyword

example: QUERY_THEN_FETCH
elasticsearch.slowlog.source_query: Slow query

type: keyword

example: {"query":{"match_all":{"boost":1.0}}}
elasticsearch.slowlog.extra_source: Extra source information

type: keyword

example:
elasticsearch.slowlog.total_hits: Total hits

type: keyword

example: 42
elasticsearch.slowlog.total_shards: Total queried shards

type: keyword

example: 22
elasticsearch.slowlog.routing: Routing

type: keyword

example: s01HZ2QBk9jw4gtgaFtn
elasticsearch.slowlog.id: Id

type: keyword

example:
elasticsearch.slowlog.type: Type

type: keyword

example: doc
elasticsearch.slowlog.source: Source of document that was indexed

type: keyword

Envoyproxy fields

Module for handling logs produced by envoy

envoyproxy

Fields from envoy proxy logs after normalization

envoyproxy.log_type: Envoy log type, normally ACCESS

type: keyword
envoyproxy.response_flags: Response flags

type: keyword
envoyproxy.upstream_service_time: Upstream service time in nanoseconds

type: long

format: duration
envoyproxy.request_id: ID of the request

type: keyword
envoyproxy.authority: Envoy proxy authority field

type: keyword
envoyproxy.proxy_type: Envoy proxy type, tcp or http

type: keyword

Big-IP Access Policy Manager fields

f5 fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

Fortinet fields

fortinet Module

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

fortinet

Fields from fortinet FortiOS

fortinet.file.hash.crc32: CRC32 Hash of file

type: keyword

firewall

Module for parsing Fortinet syslog.

fortinet.firewall.acct_stat: Accounting state (RADIUS)

type: keyword
fortinet.firewall.acktime: Alarm Acknowledge Time

type: keyword
fortinet.firewall.act: Action

type: keyword
fortinet.firewall.action: Status of the session

type: keyword
fortinet.firewall.activity: HA activity message

type: keyword
fortinet.firewall.addr: IP Address

type: ip
fortinet.firewall.addr_type: Address Type

type: keyword
fortinet.firewall.addrgrp: Address Group

type: keyword
fortinet.firewall.adgroup: AD Group Name

type: keyword
fortinet.firewall.admin: Admin User

type: keyword
fortinet.firewall.age: Time in seconds - time passed since last seen

type: integer
fortinet.firewall.agent: User agent - eg. agent="Mozilla/5.0"

type: keyword
fortinet.firewall.alarmid: Alarm ID

type: integer
fortinet.firewall.alert: Alert

type: keyword
fortinet.firewall.analyticscksum: The checksum of the file submitted for analytics

type: keyword
fortinet.firewall.analyticssubmit: The flag for analytics submission

type: keyword
fortinet.firewall.ap: Access Point

type: keyword
fortinet.firewall.app-type: Address Type

type: keyword
fortinet.firewall.appact: The security action from app control

type: keyword
fortinet.firewall.appid: Application ID

type: integer
fortinet.firewall.applist: Application Control profile

type: keyword
fortinet.firewall.apprisk: Application Risk Level

type: keyword
fortinet.firewall.apscan: The name of the AP, which scanned and detected the rogue AP

type: keyword
fortinet.firewall.apsn: Access Point

type: keyword
fortinet.firewall.apstatus: Access Point status

type: keyword
fortinet.firewall.aptype: Access Point type

type: keyword
fortinet.firewall.assigned: Assigned IP Address

type: ip
fortinet.firewall.assignip: Assigned IP Address

type: ip
fortinet.firewall.attachment: The flag for email attachement

type: keyword
fortinet.firewall.attack: Attack Name

type: keyword
fortinet.firewall.attackcontext: The trigger patterns and the packetdata with base64 encoding

type: keyword
fortinet.firewall.attackcontextid: Attack context id / total

type: keyword
fortinet.firewall.attackid: Attack ID

type: integer
fortinet.firewall.auditid: Audit ID

type: long
fortinet.firewall.auditscore: The Audit Score

type: keyword
fortinet.firewall.audittime: The time of the audit

type: long
fortinet.firewall.authgrp: Authorization Group

type: keyword
fortinet.firewall.authid: Authentication ID

type: keyword
fortinet.firewall.authproto: The protocol that initiated the authentication

type: keyword
fortinet.firewall.authserver: Authentication server

type: keyword
fortinet.firewall.bandwidth: Bandwidth

type: keyword
fortinet.firewall.banned_rule: NAC quarantine Banned Rule Name

type: keyword
fortinet.firewall.banned_src: NAC quarantine Banned Source IP

type: keyword
fortinet.firewall.banword: Banned word

type: keyword
fortinet.firewall.botnetdomain: Botnet Domain Name

type: keyword
fortinet.firewall.botnetip: Botnet IP Address

type: ip
fortinet.firewall.bssid: Service Set ID

type: keyword
fortinet.firewall.call_id: Caller ID

type: keyword
fortinet.firewall.carrier_ep: The FortiOS Carrier end-point identification

type: keyword
fortinet.firewall.cat: DNS category ID

type: integer
fortinet.firewall.category: Authentication category

type: keyword
fortinet.firewall.cc: CC Email Address

type: keyword
fortinet.firewall.cdrcontent: Cdrcontent

type: keyword
fortinet.firewall.centralnatid: Central NAT ID

type: integer
fortinet.firewall.cert: Certificate

type: keyword
fortinet.firewall.cert-type: Certificate type

type: keyword
fortinet.firewall.certhash: Certificate hash

type: keyword
fortinet.firewall.cfgattr: Configuration attribute

type: keyword
fortinet.firewall.cfgobj: Configuration object

type: keyword
fortinet.firewall.cfgpath: Configuration path

type: keyword
fortinet.firewall.cfgtid: Configuration transaction ID

type: keyword
fortinet.firewall.cfgtxpower: Configuration TX power

type: integer
fortinet.firewall.channel: Wireless Channel

type: integer
fortinet.firewall.channeltype: SSH channel type

type: keyword
fortinet.firewall.chassisid: Chassis ID

type: integer
fortinet.firewall.checksum: The checksum of the scanned file

type: keyword
fortinet.firewall.chgheaders: HTTP Headers

type: keyword
fortinet.firewall.cldobjid: Connector object ID

type: keyword
fortinet.firewall.client_addr: Wifi client address

type: keyword
fortinet.firewall.cloudaction: Cloud Action

type: keyword
fortinet.firewall.clouduser: Cloud User

type: keyword
fortinet.firewall.column: VOIP Column

type: integer
fortinet.firewall.command: CLI Command

type: keyword
fortinet.firewall.community: SNMP Community

type: keyword
fortinet.firewall.configcountry: Configuration country

type: keyword
fortinet.firewall.connection_type: FortiClient Connection Type

type: keyword
fortinet.firewall.conserve: Flag for conserve mode

type: keyword
fortinet.firewall.constraint: WAF http protocol restrictions

type: keyword
fortinet.firewall.contentdisarmed: Email scanned content

type: keyword
fortinet.firewall.contenttype: Content Type from HTTP header

type: keyword
fortinet.firewall.cookies: VPN Cookie

type: keyword
fortinet.firewall.count: Counts of action type

type: integer
fortinet.firewall.countapp: Number of App Ctrl logs associated with the session

type: integer
fortinet.firewall.countav: Number of AV logs associated with the session

type: integer
fortinet.firewall.countcifs: Number of CIFS logs associated with the session

type: integer
fortinet.firewall.countdlp: Number of DLP logs associated with the session

type: integer
fortinet.firewall.countdns: Number of DNS logs associated with the session

type: integer
fortinet.firewall.countemail: Number of email logs associated with the session

type: integer
fortinet.firewall.countff: Number of ff logs associated with the session

type: integer
fortinet.firewall.countips: Number of IPS logs associated with the session

type: integer
fortinet.firewall.countssh: Number of SSH logs associated with the session

type: integer
fortinet.firewall.countssl: Number of SSL logs associated with the session

type: integer
fortinet.firewall.countwaf: Number of WAF logs associated with the session

type: integer
fortinet.firewall.countweb: Number of Web filter logs associated with the session

type: integer
fortinet.firewall.cpu: CPU Usage

type: integer
fortinet.firewall.craction: Client Reputation Action

type: integer
fortinet.firewall.criticalcount: Number of critical ratings

type: integer
fortinet.firewall.crl: Client Reputation Level

type: keyword
fortinet.firewall.crlevel: Client Reputation Level

type: keyword
fortinet.firewall.crscore: Some description

type: integer
fortinet.firewall.cveid: CVE ID

type: keyword
fortinet.firewall.daemon: Daemon name

type: keyword
fortinet.firewall.datarange: Data range for reports

type: keyword
fortinet.firewall.date: Date

type: keyword
fortinet.firewall.ddnsserver: DDNS server

type: ip
fortinet.firewall.desc: Description

type: keyword
fortinet.firewall.detectionmethod: Detection method

type: keyword
fortinet.firewall.devcategory: Device category

type: keyword
fortinet.firewall.devintfname: HA device Interface Name

type: keyword
fortinet.firewall.devtype: Device type

type: keyword
fortinet.firewall.dhcp_msg: DHCP Message

type: keyword
fortinet.firewall.dintf: Destination interface

type: keyword
fortinet.firewall.disk: Assosciated disk

type: keyword
fortinet.firewall.disklograte: Disk logging rate

type: long
fortinet.firewall.dlpextra: DLP extra information

type: keyword
fortinet.firewall.docsource: DLP fingerprint document source

type: keyword
fortinet.firewall.domainctrlauthstate: CIFS domain auth state

type: integer
fortinet.firewall.domainctrlauthtype: CIFS domain auth type

type: integer
fortinet.firewall.domainctrldomain: CIFS domain auth domain

type: keyword
fortinet.firewall.domainctrlip: CIFS Domain IP

type: ip
fortinet.firewall.domainctrlname: CIFS Domain name

type: keyword
fortinet.firewall.domainctrlprotocoltype: CIFS Domain connection protocol

type: integer
fortinet.firewall.domainctrlusername: CIFS Domain username

type: keyword
fortinet.firewall.domainfilteridx: Domain filter ID

type: integer
fortinet.firewall.domainfilterlist: Domain filter name

type: keyword
fortinet.firewall.ds: Direction with distribution system

type: keyword
fortinet.firewall.dst_int: Destination interface

type: keyword
fortinet.firewall.dstintfrole: Destination interface role

type: keyword
fortinet.firewall.dstcountry: Destination country

type: keyword
fortinet.firewall.dstdevcategory: Destination device category

type: keyword
fortinet.firewall.dstdevtype: Destination device type

type: keyword
fortinet.firewall.dstfamily: Destination OS family

type: keyword
fortinet.firewall.dsthwvendor: Destination HW vendor

type: keyword
fortinet.firewall.dsthwversion: Destination HW version

type: keyword
fortinet.firewall.dstinetsvc: Destination interface service

type: keyword
fortinet.firewall.dstosname: Destination OS name

type: keyword
fortinet.firewall.dstosversion: Destination OS version

type: keyword
fortinet.firewall.dstserver: Destination server

type: integer
fortinet.firewall.dstssid: Destination SSID

type: keyword
fortinet.firewall.dstswversion: Destination software version

type: keyword
fortinet.firewall.dstunauthusersource: Destination unauthenticated source

type: keyword
fortinet.firewall.dstuuid: UUID of the Destination IP address

type: keyword
fortinet.firewall.duid: DHCP UID

type: keyword
fortinet.firewall.eapolcnt: EAPOL packet count

type: integer
fortinet.firewall.eapoltype: EAPOL packet type

type: keyword
fortinet.firewall.encrypt: Whether the packet is encrypted or not

type: integer
fortinet.firewall.encryption: Encryption method

type: keyword
fortinet.firewall.epoch: Epoch used for locating file

type: integer
fortinet.firewall.espauth: ESP Authentication

type: keyword
fortinet.firewall.esptransform: ESP Transform

type: keyword
fortinet.firewall.eventtype: UTM Event Type

type: keyword
fortinet.firewall.exch: Mail Exchanges from DNS response answer section

type: keyword
fortinet.firewall.exchange: Mail Exchanges from DNS response answer section

type: keyword
fortinet.firewall.expectedsignature: Expected SSL signature

type: keyword
fortinet.firewall.expiry: FortiGuard override expiry timestamp

type: keyword
fortinet.firewall.fams_pause: Fortinet Analysis and Management Service Pause

type: integer
fortinet.firewall.fazlograte: FortiAnalyzer Logging Rate

type: long
fortinet.firewall.fctemssn: FortiClient Endpoint SSN

type: keyword
fortinet.firewall.fctuid: FortiClient UID

type: keyword
fortinet.firewall.field: NTP status field

type: keyword
fortinet.firewall.filefilter: The filter used to identify the affected file

type: keyword
fortinet.firewall.filehashsrc: Filehash source

type: keyword
fortinet.firewall.filtercat: DLP filter category

type: keyword
fortinet.firewall.filteridx: DLP filter ID

type: integer
fortinet.firewall.filtername: DLP rule name

type: keyword
fortinet.firewall.filtertype: DLP filter type

type: keyword
fortinet.firewall.fortiguardresp: Antispam ESP value

type: keyword
fortinet.firewall.forwardedfor: Email address forwarded

type: keyword
fortinet.firewall.fqdn: FQDN

type: keyword
fortinet.firewall.frametype: Wireless frametype

type: keyword
fortinet.firewall.freediskstorage: Free disk integer

type: integer
fortinet.firewall.from: From email address

type: keyword
fortinet.firewall.from_vcluster: Source virtual cluster number

type: integer
fortinet.firewall.fsaverdict: FSA verdict

type: keyword
fortinet.firewall.fwserver_name: Web proxy server name

type: keyword
fortinet.firewall.gateway: Gateway ip address for PPPoE status report

type: ip
fortinet.firewall.green: Memory status

type: keyword
fortinet.firewall.groupid: User Group ID

type: integer
fortinet.firewall.ha-prio: HA Priority

type: integer
fortinet.firewall.ha_group: HA Group

type: keyword
fortinet.firewall.ha_role: HA Role

type: keyword
fortinet.firewall.handshake: SSL Handshake

type: keyword
fortinet.firewall.hash: Hash value of downloaded file

type: keyword
fortinet.firewall.hbdn_reason: Heartbeat down reason

type: keyword
fortinet.firewall.highcount: Highcount fabric summary

type: integer
fortinet.firewall.host: Hostname

type: keyword
fortinet.firewall.iaid: DHCPv6 id

type: keyword
fortinet.firewall.icmpcode: Destination Port of the ICMP message

type: keyword
fortinet.firewall.icmpid: Source port of the ICMP message

type: keyword
fortinet.firewall.icmptype: The type of ICMP message

type: keyword
fortinet.firewall.identifier: Network traffic identifier

type: integer
fortinet.firewall.in_spi: IPSEC inbound SPI

type: keyword
fortinet.firewall.incidentserialno: Incident serial number

type: integer
fortinet.firewall.infected: Infected MMS

type: integer
fortinet.firewall.infectedfilelevel: DLP infected file level

type: integer
fortinet.firewall.informationsource: Information source

type: keyword
fortinet.firewall.init: IPSEC init stage

type: keyword
fortinet.firewall.initiator: Original login user name for Fortiguard override

type: keyword
fortinet.firewall.interface: Related interface

type: keyword
fortinet.firewall.intf: Related interface

type: keyword
fortinet.firewall.invalidmac: The MAC address with invalid OUI

type: keyword
fortinet.firewall.ip: Related IP

type: ip
fortinet.firewall.iptype: Related IP type

type: keyword
fortinet.firewall.keyword: Keyword used for search

type: keyword
fortinet.firewall.kind: VOIP kind

type: keyword
fortinet.firewall.lanin: LAN incoming traffic in bytes

type: long
fortinet.firewall.lanout: LAN outbound traffic in bytes

type: long
fortinet.firewall.lease: DHCP lease

type: integer
fortinet.firewall.license_limit: Maximum Number of FortiClients for the License

type: keyword
fortinet.firewall.limit: Virtual Domain Resource Limit

type: integer
fortinet.firewall.line: VOIP line

type: keyword
fortinet.firewall.live: Time in seconds

type: integer
fortinet.firewall.local: Local IP for a PPPD Connection

type: ip
fortinet.firewall.log: Log message

type: keyword
fortinet.firewall.login: SSH login

type: keyword
fortinet.firewall.lowcount: Fabric lowcount

type: integer
fortinet.firewall.mac: DHCP mac address

type: keyword
fortinet.firewall.malform_data: VOIP malformed data

type: integer
fortinet.firewall.malform_desc: VOIP malformed data description

type: keyword
fortinet.firewall.manuf: Manufacturer name

type: keyword
fortinet.firewall.masterdstmac: Master mac address for a host with multiple network interfaces

type: keyword
fortinet.firewall.mastersrcmac: The master MAC address for a host that has multiple network interfaces

type: keyword
fortinet.firewall.mediumcount: Fabric medium count

type: integer
fortinet.firewall.mem: Memory usage system statistics

type: integer
fortinet.firewall.meshmode: Wireless mesh mode

type: keyword
fortinet.firewall.message_type: VOIP message type

type: keyword
fortinet.firewall.method: HTTP method

type: keyword
fortinet.firewall.mgmtcnt: The number of unauthorized client flooding managemet frames

type: integer
fortinet.firewall.mode: IPSEC mode

type: keyword
fortinet.firewall.module: PCI-DSS module

type: keyword
fortinet.firewall.monitor-name: Health Monitor Name

type: keyword
fortinet.firewall.monitor-type: Health Monitor Type

type: keyword
fortinet.firewall.mpsk: Wireless MPSK

type: keyword
fortinet.firewall.msgproto: Message Protocol Number

type: keyword
fortinet.firewall.mtu: Max Transmission Unit Value

type: integer
fortinet.firewall.name: Name

type: keyword
fortinet.firewall.nat: NAT IP Address

type: keyword
fortinet.firewall.netid: Connector NetID

type: keyword
fortinet.firewall.new_status: New status on user change

type: keyword
fortinet.firewall.new_value: New Virtual Domain Name

type: keyword
fortinet.firewall.newchannel: New Channel Number

type: integer
fortinet.firewall.newchassisid: New Chassis ID

type: integer
fortinet.firewall.newslot: New Slot Number

type: integer
fortinet.firewall.nextstat: Time interval in seconds for the next statistics.

type: integer
fortinet.firewall.nf_type: Notification Type

type: keyword
fortinet.firewall.noise: Wifi Noise

type: integer
fortinet.firewall.old_status: Original Status

type: keyword
fortinet.firewall.old_value: Original Virtual Domain name

type: keyword
fortinet.firewall.oldchannel: Original channel

type: integer
fortinet.firewall.oldchassisid: Original Chassis Number

type: integer
fortinet.firewall.oldslot: Original Slot Number

type: integer
fortinet.firewall.oldsn: Old Serial number

type: keyword
fortinet.firewall.oldwprof: Old Web Filter Profile

type: keyword
fortinet.firewall.onwire: A flag to indicate if the AP is onwire or not

type: keyword
fortinet.firewall.opercountry: Operating Country

type: keyword
fortinet.firewall.opertxpower: Operating TX power

type: integer
fortinet.firewall.osname: Operating System name

type: keyword
fortinet.firewall.osversion: Operating System version

type: keyword
fortinet.firewall.out_spi: Out SPI

type: keyword
fortinet.firewall.outintf: Out interface

type: keyword
fortinet.firewall.passedcount: Fabric passed count

type: integer
fortinet.firewall.passwd: Changed user password information

type: keyword
fortinet.firewall.path: Path of looped configuration for security fabric

type: keyword
fortinet.firewall.peer: WAN optimization peer

type: keyword
fortinet.firewall.peer_notif: VPN peer notification

type: keyword
fortinet.firewall.phase2_name: VPN phase2 name

type: keyword
fortinet.firewall.phone: VOIP Phone

type: keyword
fortinet.firewall.pid: Process ID

type: integer
fortinet.firewall.policytype: Policy Type

type: keyword
fortinet.firewall.poolname: IP Pool name

type: keyword
fortinet.firewall.port: Log upload error port

type: integer
fortinet.firewall.portbegin: IP Pool port number to begin

type: integer
fortinet.firewall.portend: IP Pool port number to end

type: integer
fortinet.firewall.probeproto: Link Monitor Probe Protocol

type: keyword
fortinet.firewall.process: URL Filter process

type: keyword
fortinet.firewall.processtime: Process time for reports

type: integer
fortinet.firewall.profile: Profile Name

type: keyword
fortinet.firewall.profile_vd: Virtual Domain Name

type: keyword
fortinet.firewall.profilegroup: Profile Group Name

type: keyword
fortinet.firewall.profiletype: Profile Type

type: keyword
fortinet.firewall.qtypeval: DNS question type value

type: integer
fortinet.firewall.quarskip: Quarantine skip explanation

type: keyword
fortinet.firewall.quotaexceeded: If quota has been exceeded

type: keyword
fortinet.firewall.quotamax: Maximum quota allowed - in seconds if time-based - in bytes if traffic-based

type: long
fortinet.firewall.quotatype: Quota type

type: keyword
fortinet.firewall.quotaused: Quota used - in seconds if time-based - in bytes if trafficbased)

type: long
fortinet.firewall.radioband: Radio band

type: keyword
fortinet.firewall.radioid: Radio ID

type: integer
fortinet.firewall.radioidclosest: Radio ID on the AP closest the rogue AP

type: integer
fortinet.firewall.radioiddetected: Radio ID on the AP which detected the rogue AP

type: integer
fortinet.firewall.rate: Wireless rogue rate value

type: keyword
fortinet.firewall.rawdata: Raw data value

type: keyword
fortinet.firewall.rawdataid: Raw data ID

type: keyword
fortinet.firewall.rcvddelta: Received bytes delta

type: keyword
fortinet.firewall.reason: Alert reason

type: keyword
fortinet.firewall.received: Server key exchange received

type: integer
fortinet.firewall.receivedsignature: Server key exchange received signature

type: keyword
fortinet.firewall.red: Memory information in red

type: keyword
fortinet.firewall.referralurl: Web filter referralurl

type: keyword
fortinet.firewall.remote: Remote PPP IP address

type: ip
fortinet.firewall.remotewtptime: Remote Wifi Radius authentication time

type: keyword
fortinet.firewall.reporttype: Report type

type: keyword
fortinet.firewall.reqtype: Request type

type: keyword
fortinet.firewall.request_name: VOIP request name

type: keyword
fortinet.firewall.result: VPN phase result

type: keyword
fortinet.firewall.role: VPN Phase 2 role

type: keyword
fortinet.firewall.rssi: Received signal strength indicator

type: integer
fortinet.firewall.rsso_key: RADIUS SSO attribute value

type: keyword
fortinet.firewall.ruledata: Rule data

type: keyword
fortinet.firewall.ruletype: Rule type

type: keyword
fortinet.firewall.scanned: Number of Scanned MMSs

type: integer
fortinet.firewall.scantime: Scanned time

type: long
fortinet.firewall.scope: FortiGuard Override Scope

type: keyword
fortinet.firewall.security: Wireless rogue security

type: keyword
fortinet.firewall.sensitivity: Sensitivity for document fingerprint

type: keyword
fortinet.firewall.sensor: NAC Sensor Name

type: keyword
fortinet.firewall.sentdelta: Sent bytes delta

type: keyword
fortinet.firewall.seq: Sequence number

type: keyword
fortinet.firewall.serial: WAN optimisation serial

type: keyword
fortinet.firewall.serialno: Serial number

type: keyword
fortinet.firewall.server: AD server FQDN or IP

type: keyword
fortinet.firewall.session_id: Session ID

type: keyword
fortinet.firewall.sessionid: WAD Session ID

type: integer
fortinet.firewall.setuprate: Session Setup Rate

type: long
fortinet.firewall.severity: Severity

type: keyword
fortinet.firewall.shaperdroprcvdbyte: Received bytes dropped by shaper

type: integer
fortinet.firewall.shaperdropsentbyte: Sent bytes dropped by shaper

type: integer
fortinet.firewall.shaperperipdropbyte: Dropped bytes per IP by shaper

type: integer
fortinet.firewall.shaperperipname: Traffic shaper name (per IP)

type: keyword
fortinet.firewall.shaperrcvdname: Traffic shaper name for received traffic

type: keyword
fortinet.firewall.shapersentname: Traffic shaper name for sent traffic

type: keyword
fortinet.firewall.shapingpolicyid: Traffic shaper policy ID

type: integer
fortinet.firewall.signal: Wireless rogue API signal

type: integer
fortinet.firewall.size: Email size in bytes

type: long
fortinet.firewall.slot: Slot number

type: integer
fortinet.firewall.sn: Security fabric serial number

type: keyword
fortinet.firewall.snclosest: SN of the AP closest to the rogue AP

type: keyword
fortinet.firewall.sndetected: SN of the AP which detected the rogue AP

type: keyword
fortinet.firewall.snmeshparent: SN of the mesh parent

type: keyword
fortinet.firewall.spi: IPSEC SPI

type: keyword
fortinet.firewall.src_int: Source interface

type: keyword
fortinet.firewall.srcintfrole: Source interface role

type: keyword
fortinet.firewall.srccountry: Source country

type: keyword
fortinet.firewall.srcfamily: Source family

type: keyword
fortinet.firewall.srchwvendor: Source hardware vendor

type: keyword
fortinet.firewall.srchwversion: Source hardware version

type: keyword
fortinet.firewall.srcinetsvc: Source interface service

type: keyword
fortinet.firewall.srcname: Source name

type: keyword
fortinet.firewall.srcserver: Source server

type: integer
fortinet.firewall.srcssid: Source SSID

type: keyword
fortinet.firewall.srcswversion: Source software version

type: keyword
fortinet.firewall.srcuuid: Source UUID

type: keyword
fortinet.firewall.sscname: SSC name

type: keyword
fortinet.firewall.ssid: Base Service Set ID

type: keyword
fortinet.firewall.sslaction: SSL Action

type: keyword
fortinet.firewall.ssllocal: WAD SSL local

type: keyword
fortinet.firewall.sslremote: WAD SSL remote

type: keyword
fortinet.firewall.stacount: Number of stations/clients

type: integer
fortinet.firewall.stage: IPSEC stage

type: keyword
fortinet.firewall.stamac: 802.1x station mac

type: keyword
fortinet.firewall.state: Admin login state

type: keyword
fortinet.firewall.status: Status

type: keyword
fortinet.firewall.stitch: Automation stitch triggered

type: keyword
fortinet.firewall.subject: Email subject

type: keyword
fortinet.firewall.submodule: Configuration Sub-Module Name

type: keyword
fortinet.firewall.subservice: AV subservice

type: keyword
fortinet.firewall.subtype: Log subtype

type: keyword
fortinet.firewall.suspicious: Number of Suspicious MMSs

type: integer
fortinet.firewall.switchproto: Protocol change information

type: keyword
fortinet.firewall.sync_status: The sync status with the master

type: keyword
fortinet.firewall.sync_type: The sync type with the master

type: keyword
fortinet.firewall.sysuptime: System uptime

type: keyword
fortinet.firewall.tamac: the MAC address of Transmitter, if none, then Receiver

type: keyword
fortinet.firewall.threattype: WIDS threat type

type: keyword
fortinet.firewall.time: Time of the event

type: keyword
fortinet.firewall.to: Email to field

type: keyword
fortinet.firewall.to_vcluster: destination virtual cluster number

type: integer
fortinet.firewall.total: Total memory

type: integer
fortinet.firewall.totalsession: Total Number of Sessions

type: integer
fortinet.firewall.trace_id: Session clash trace ID

type: keyword
fortinet.firewall.trandisp: NAT translation type

type: keyword
fortinet.firewall.transid: HTTP transaction ID

type: integer
fortinet.firewall.translationid: DNS filter transaltion ID

type: keyword
fortinet.firewall.trigger: Automation stitch trigger

type: keyword
fortinet.firewall.trueclntip: File filter true client IP

type: ip
fortinet.firewall.tunnelid: IPSEC tunnel ID

type: integer
fortinet.firewall.tunnelip: IPSEC tunnel IP

type: ip
fortinet.firewall.tunneltype: IPSEC tunnel type

type: keyword
fortinet.firewall.type: Module type

type: keyword
fortinet.firewall.ui: Admin authentication UI type

type: keyword
fortinet.firewall.unauthusersource: Unauthenticated user source

type: keyword
fortinet.firewall.unit: Power supply unit

type: integer
fortinet.firewall.urlfilteridx: URL filter ID

type: integer
fortinet.firewall.urlfilterlist: URL filter list

type: keyword
fortinet.firewall.urlsource: URL filter source

type: keyword
fortinet.firewall.urltype: URL filter type

type: keyword
fortinet.firewall.used: Number of Used IPs

type: integer
fortinet.firewall.used_for_type: Connection for the type

type: integer
fortinet.firewall.utmaction: Security action performed by UTM

type: keyword
fortinet.firewall.utmref: Reference to UTM

type: keyword
fortinet.firewall.vap: Virtual AP

type: keyword
fortinet.firewall.vapmode: Virtual AP mode

type: keyword
fortinet.firewall.vcluster: virtual cluster id

type: integer
fortinet.firewall.vcluster_member: Virtual cluster member

type: integer
fortinet.firewall.vcluster_state: Virtual cluster state

type: keyword
fortinet.firewall.vd: Virtual Domain Name

type: keyword
fortinet.firewall.vdname: Virtual Domain Name

type: keyword
fortinet.firewall.vendorurl: Vulnerability scan vendor name

type: keyword
fortinet.firewall.version: Version

type: keyword
fortinet.firewall.vip: Virtual IP

type: keyword
fortinet.firewall.virus: Virus name

type: keyword
fortinet.firewall.virusid: Virus ID (unique virus identifier)

type: integer
fortinet.firewall.voip_proto: VOIP protocol

type: keyword
fortinet.firewall.vpn: VPN description

type: keyword
fortinet.firewall.vpntunnel: IPsec Vpn Tunnel Name

type: keyword
fortinet.firewall.vpntype: The type of the VPN tunnel

type: keyword
fortinet.firewall.vrf: VRF number

type: integer
fortinet.firewall.vulncat: Vulnerability Category

type: keyword
fortinet.firewall.vulnid: Vulnerability ID

type: integer
fortinet.firewall.vulnname: Vulnerability name

type: keyword
fortinet.firewall.vwlid: VWL ID

type: integer
fortinet.firewall.vwlquality: VWL quality

type: keyword
fortinet.firewall.vwlservice: VWL service

type: keyword
fortinet.firewall.vwpvlanid: VWP VLAN ID

type: integer
fortinet.firewall.wanin: WAN incoming traffic in bytes

type: long
fortinet.firewall.wanoptapptype: WAN Optimization Application type

type: keyword
fortinet.firewall.wanout: WAN outgoing traffic in bytes

type: long
fortinet.firewall.weakwepiv: Weak Wep Initiation Vector

type: keyword
fortinet.firewall.xauthgroup: XAuth Group Name

type: keyword
fortinet.firewall.xauthuser: XAuth User Name

type: keyword
fortinet.firewall.xid: Wireless X ID

type: integer

Google Cloud Platform (GCP) fields

Module for handling logs from Google Cloud.

gcp

Fields from Google Cloud logs.

destination.instance

If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.

gcp.destination.instance.project_id: ID of the project containing the VM.

type: keyword
gcp.destination.instance.region: Region of the VM.

type: keyword
gcp.destination.instance.zone: Zone of the VM.

type: keyword

destination.vpc

If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.

gcp.destination.vpc.project_id: ID of the project containing the VM.

type: keyword
gcp.destination.vpc.vpc_name: VPC on which the VM is operating.

type: keyword
gcp.destination.vpc.subnetwork_name: Subnetwork on which the VM is operating.

type: keyword

source.instance

If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.

gcp.source.instance.project_id: ID of the project containing the VM.

type: keyword
gcp.source.instance.region: Region of the VM.

type: keyword
gcp.source.instance.zone: Zone of the VM.

type: keyword

source.vpc

If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.

gcp.source.vpc.project_id: ID of the project containing the VM.

type: keyword
gcp.source.vpc.vpc_name: VPC on which the VM is operating.

type: keyword
gcp.source.vpc.subnetwork_name: Subnetwork on which the VM is operating.

type: keyword

audit

Fields for Google Cloud audit logs.

gcp.audit.type: Type property.

type: keyword

authentication_info

Authentication information.

gcp.audit.authentication_info.principal_email: The email address of the authenticated user making the request.

type: keyword
gcp.audit.authentication_info.authority_selector: The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority.

type: keyword
gcp.audit.authorization_info: Authorization information for the operation.

type: array
gcp.audit.method_name: The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'.

type: keyword
gcp.audit.num_response_items: The number of items returned from a List or Query API method, if applicable.

type: long

request

The operation request.

gcp.audit.request.proto_name: Type property of the request.

type: keyword
gcp.audit.request.filter: Filter of the request.

type: keyword
gcp.audit.request.name: Name of the request.

type: keyword
gcp.audit.request.resource_name: Name of the request resource.

type: keyword

request_metadata

Metadata about the request.

gcp.audit.request_metadata.caller_ip: The IP address of the caller.

type: ip
gcp.audit.request_metadata.caller_supplied_user_agent: The user agent of the caller. This information is not authenticated and should be treated accordingly.

type: keyword

response

The operation response.

gcp.audit.response.proto_name: Type property of the response.

type: keyword

details

The details of the response.

gcp.audit.response.details.group: The name of the group.

type: keyword
gcp.audit.response.details.kind: The kind of the response details.

type: keyword
gcp.audit.response.details.name: The name of the response details.

type: keyword
gcp.audit.response.details.uid: The uid of the response details.

type: keyword
gcp.audit.response.status: Status of the response.

type: keyword
gcp.audit.resource_name: The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'.

type: keyword

resource_location

The location of the resource.

gcp.audit.resource_location.current_locations: Current locations of the resource.

type: keyword
gcp.audit.service_name: The name of the API service performing the operation. For example, datastore.googleapis.com.

type: keyword

status

The status of the overall operation.

gcp.audit.status.code: The status code, which should be an enum value of google.rpc.Code.

type: integer
gcp.audit.status.message: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.

type: keyword

firewall

Fields for Google Cloud Firewall logs.

rule_details

Description of the firewall rule that matched this connection.

gcp.firewall.rule_details.priority: The priority for the firewall rule.

type: long
gcp.firewall.rule_details.action: Action that the rule performs on match.

type: keyword
gcp.firewall.rule_details.direction: Direction of traffic that matches this rule.

type: keyword
gcp.firewall.rule_details.reference: Reference to the firewall rule.

type: keyword
gcp.firewall.rule_details.source_range: List of source ranges that the firewall rule applies to.

type: keyword
gcp.firewall.rule_details.destination_range: List of destination ranges that the firewall applies to.

type: keyword
gcp.firewall.rule_details.source_tag: List of all the source tags that the firewall rule applies to.

type: keyword
gcp.firewall.rule_details.target_tag: List of all the target tags that the firewall rule applies to.

type: keyword
gcp.firewall.rule_details.ip_port_info: List of ip protocols and applicable port ranges for rules.

type: array
gcp.firewall.rule_details.source_service_account: List of all the source service accounts that the firewall rule applies to.

type: keyword
gcp.firewall.rule_details.target_service_account: List of all the target service accounts that the firewall rule applies to.

type: keyword

vpcflow

Fields for Google Cloud VPC flow logs.

gcp.vpcflow.reporter: The side which reported the flow. Can be either 'SRC' or 'DEST'.

type: keyword
gcp.vpcflow.rtt.ms: Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay.

type: long

google_workspace fields

Google Workspace Module

google_workspace

Google Workspace specific fields. More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list

google_workspace.actor.type: The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor.

type: keyword
google_workspace.actor.key: Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts.

type: keyword
google_workspace.event.type: The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list

type: keyword

example: audit#activity
google_workspace.kind: The type of API resource, mapped from kind in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list

type: keyword

example: audit#activity
google_workspace.organization.domain: The domain that is affected by the report’s event.

type: keyword
google_workspace.admin.application.edition: The Google Workspace edition.

type: keyword
google_workspace.admin.application.name: The application’s name.

type: keyword
google_workspace.admin.application.enabled: The enabled application.

type: keyword
google_workspace.admin.application.licences_order_number: Order number used to redeem licenses.

type: keyword
google_workspace.admin.application.licences_purchased: Number of licences purchased.

type: keyword
google_workspace.admin.application.id: The application ID.

type: keyword
google_workspace.admin.application.asp_id: The application specific password ID.

type: keyword
google_workspace.admin.application.package_id: The mobile application package ID.

type: keyword
google_workspace.admin.group.email: The group’s primary email address.

type: keyword
google_workspace.admin.new_value: The new value for the setting.

type: keyword
google_workspace.admin.old_value: The old value for the setting.

type: keyword
google_workspace.admin.org_unit.name: The organizational unit name.

type: keyword
google_workspace.admin.org_unit.full: The org unit full path including the root org unit name.

type: keyword
google_workspace.admin.setting.name: The setting name.

type: keyword
google_workspace.admin.user_defined_setting.name: The name of the user-defined setting.

type: keyword
google_workspace.admin.setting.description: The setting name.

type: keyword
google_workspace.admin.group.priorities: Group priorities.

type: keyword
google_workspace.admin.domain.alias: The domain alias.

type: keyword
google_workspace.admin.domain.name: The primary domain name.

type: keyword
google_workspace.admin.domain.secondary_name: The secondary domain name.

type: keyword
google_workspace.admin.managed_configuration: The name of the managed configuration.

type: keyword
google_workspace.admin.non_featured_services_selection: Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED

type: keyword
google_workspace.admin.field: The name of the field.

type: keyword
google_workspace.admin.resource.id: The name of the resource identifier.

type: keyword
google_workspace.admin.user.email: The user’s primary email address.

type: keyword
google_workspace.admin.user.nickname: The user’s nickname.

type: keyword
google_workspace.admin.user.birthdate: The user’s birth date.

type: date
google_workspace.admin.gateway.name: Gateway name. Present on some chat settings.

type: keyword
google_workspace.admin.chrome_os.session_type: Chrome OS session type.

type: keyword
google_workspace.admin.device.serial_number: Device serial number.

type: keyword
google_workspace.admin.device.id: type: keyword
google_workspace.admin.device.type: Device type.

type: keyword
google_workspace.admin.print_server.name: The name of the print server.

type: keyword
google_workspace.admin.printer.name: The name of the printer.

type: keyword
google_workspace.admin.device.command_details: Command details.

type: keyword
google_workspace.admin.role.id: Unique identifier for this role privilege.

type: keyword
google_workspace.admin.role.name: The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings

type: keyword
google_workspace.admin.privilege.name: Privilege name.

type: keyword
google_workspace.admin.service.name: The service name.

type: keyword
google_workspace.admin.url.name: The website name.

type: keyword
google_workspace.admin.product.name: The product name.

type: keyword
google_workspace.admin.product.sku: The product SKU.

type: keyword
google_workspace.admin.bulk_upload.failed: Number of failed records in bulk upload operation.

type: long
google_workspace.admin.bulk_upload.total: Number of total records in bulk upload operation.

type: long
google_workspace.admin.group.allowed_list: Names of allow-listed groups.

type: keyword
google_workspace.admin.email.quarantine_name: The name of the quarantine.

type: keyword
google_workspace.admin.email.log_search_filter.message_id: The log search filter’s email message ID.

type: keyword
google_workspace.admin.email.log_search_filter.start_date: The log search filter’s start date.

type: date
google_workspace.admin.email.log_search_filter.end_date: The log search filter’s ending date.

type: date
google_workspace.admin.email.log_search_filter.recipient.value: The log search filter’s email recipient.

type: keyword
google_workspace.admin.email.log_search_filter.sender.value: The log search filter’s email sender.

type: keyword
google_workspace.admin.email.log_search_filter.recipient.ip: The log search filter’s email recipient’s IP address.

type: ip
google_workspace.admin.email.log_search_filter.sender.ip: The log search filter’s email sender’s IP address.

type: ip
google_workspace.admin.chrome_licenses.enabled: Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings

type: keyword
google_workspace.admin.chrome_licenses.allowed: Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings

type: keyword
google_workspace.admin.oauth2.service.name: OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings

type: keyword
google_workspace.admin.oauth2.application.id: OAuth2 application ID.

type: keyword
google_workspace.admin.oauth2.application.name: OAuth2 application name.

type: keyword
google_workspace.admin.oauth2.application.type: OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings

type: keyword
google_workspace.admin.verification_method: Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings

type: keyword
google_workspace.admin.alert.name: The alert name.

type: keyword
google_workspace.admin.rule.name: The rule name.

type: keyword
google_workspace.admin.api.client.name: The API client name.

type: keyword
google_workspace.admin.api.scopes: The API scopes.

type: keyword
google_workspace.admin.mdm.token: The MDM vendor enrollment token.

type: keyword
google_workspace.admin.mdm.vendor: The MDM vendor’s name.

type: keyword
google_workspace.admin.info_type: This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings

type: keyword
google_workspace.admin.email_monitor.dest_email: The destination address of the email monitor.

type: keyword
google_workspace.admin.email_monitor.level.chat: The chat email monitor level.

type: keyword
google_workspace.admin.email_monitor.level.draft: The draft email monitor level.

type: keyword
google_workspace.admin.email_monitor.level.incoming: The incoming email monitor level.

type: keyword
google_workspace.admin.email_monitor.level.outgoing: The outgoing email monitor level.

type: keyword
google_workspace.admin.email_dump.include_deleted: Indicates if deleted emails are included in the export.

type: boolean
google_workspace.admin.email_dump.package_content: The contents of the mailbox package.

type: keyword
google_workspace.admin.email_dump.query: The search query used for the dump.

type: keyword
google_workspace.admin.request.id: The request ID.

type: keyword
google_workspace.admin.mobile.action.id: The mobile device action’s ID.

type: keyword
google_workspace.admin.mobile.action.type: The mobile device action’s type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings

type: keyword
google_workspace.admin.mobile.certificate.name: The mobile certificate common name.

type: keyword
google_workspace.admin.mobile.company_owned_devices: The number of devices a company owns.

type: long
google_workspace.admin.distribution.entity.name: The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings

type: keyword
google_workspace.admin.distribution.entity.type: The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings

type: keyword
google_workspace.drive.billable: Whether this activity is billable.

type: boolean
google_workspace.drive.source_folder_id: type: keyword
google_workspace.drive.source_folder_title: type: keyword
google_workspace.drive.destination_folder_id: type: keyword
google_workspace.drive.destination_folder_title: type: keyword
google_workspace.drive.file.id: type: keyword
google_workspace.drive.file.type: Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword
google_workspace.drive.originating_app_id: The Google Cloud Project ID of the application that performed the action.

type: keyword
google_workspace.drive.file.owner.email: type: keyword
google_workspace.drive.file.owner.is_shared_drive: Boolean flag denoting whether owner is a shared drive.

type: boolean
google_workspace.drive.primary_event: Whether this is a primary event. A single user action in Drive may generate several events.

type: boolean
google_workspace.drive.shared_drive_id: The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive.

type: keyword
google_workspace.drive.visibility: Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword
google_workspace.drive.new_value: When a setting or property of the file changes, the new value for it will appear here.

type: keyword
google_workspace.drive.old_value: When a setting or property of the file changes, the old value for it will appear here.

type: keyword
google_workspace.drive.sheets_import_range_recipient_doc: Doc ID of the recipient of a sheets import range.

type: keyword
google_workspace.drive.old_visibility: When visibility changes, this holds the old value.

type: keyword
google_workspace.drive.visibility_change: When visibility changes, this holds the new overall visibility of the file.

type: keyword
google_workspace.drive.target_domain: The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document.

type: keyword
google_workspace.drive.added_role: Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword
google_workspace.drive.membership_change_type: Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword
google_workspace.drive.shared_drive_settings_change_type: Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword
google_workspace.drive.removed_role: Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword
google_workspace.drive.target: Target user or group.

type: keyword
google_workspace.groups.acl_permission: Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword
google_workspace.groups.email: Group email.

type: keyword
google_workspace.groups.member.email: Member email.

type: keyword
google_workspace.groups.member.role: Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword
google_workspace.groups.setting: Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword
google_workspace.groups.new_value: New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword
google_workspace.groups.old_value: Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword
google_workspace.groups.value: Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword
google_workspace.groups.message.id: SMTP message Id of an email message. Present for moderation events.

type: keyword
google_workspace.groups.message.moderation_action: Message moderation action. Possible values are approved and rejected.

type: keyword
google_workspace.groups.status: A status describing the output of an operation. Possible values are failed and succeeded.

type: keyword
google_workspace.login.affected_email_address: type: keyword
google_workspace.login.challenge_method: Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.

type: keyword
google_workspace.login.failure_type: Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.

type: keyword
google_workspace.login.type: Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.

type: keyword
google_workspace.login.is_second_factor: type: boolean
google_workspace.login.is_suspicious: type: boolean
google_workspace.saml.application_name: Saml SP application name.

type: keyword
google_workspace.saml.failure_type: Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml.

type: keyword
google_workspace.saml.initiated_by: Requester of SAML authentication.

type: keyword
google_workspace.saml.orgunit_path: User orgunit.

type: keyword
google_workspace.saml.status_code: SAML status code.

type: keyword
google_workspace.saml.second_level_status_code: SAML second level status code.

type: keyword

HAProxy fields

haproxy Module

haproxy

haproxy.frontend_name: Name of the frontend (or listener) which received and processed the connection.
haproxy.backend_name: Name of the backend (or listener) which was selected to manage the connection to the server.
haproxy.server_name: Name of the last server to which the connection was sent.
haproxy.total_waiting_time_ms: Total time in milliseconds spent waiting in the various queues

type: long
haproxy.connection_wait_time_ms: Total time in milliseconds spent waiting for the connection to establish to the final server

type: long
haproxy.bytes_read: Total number of bytes transmitted to the client when the log is emitted.

type: long
haproxy.time_queue: Total time in milliseconds spent waiting in the various queues.

type: long
haproxy.time_backend_connect: Total time in milliseconds spent waiting for the connection to establish to the final server, including retries.

type: long
haproxy.server_queue: Total number of requests which were processed before this one in the server queue.

type: long
haproxy.backend_queue: Total number of requests which were processed before this one in the backend’s global queue.

type: long
haproxy.bind_name: Name of the listening address which received the connection.
haproxy.error_message: Error message logged by HAProxy in case of error.

type: text
haproxy.source: The HAProxy source of the log

type: keyword
haproxy.termination_state: Condition the session was in when the session ended.
haproxy.mode: mode that the frontend is operating (TCP or HTTP)

type: keyword

connections

Contains various counts of connections active in the process.

haproxy.connections.active: Total number of concurrent connections on the process when the session was logged.

type: long
haproxy.connections.frontend: Total number of concurrent connections on the frontend when the session was logged.

type: long
haproxy.connections.backend: Total number of concurrent connections handled by the backend when the session was logged.

type: long
haproxy.connections.server: Total number of concurrent connections still active on the server when the session was logged.

type: long
haproxy.connections.retries: Number of connection retries experienced by this session when trying to connect to the server.

type: long

client

Information about the client doing the request

haproxy.client.ip: type: alias

alias to: source.address
haproxy.client.port: type: alias

alias to: source.port
haproxy.process_name: type: alias

alias to: process.name
haproxy.pid: type: alias

alias to: process.pid

destination

Destination information

haproxy.destination.port: type: alias

alias to: destination.port
haproxy.destination.ip: type: alias

alias to: destination.ip

geoip

Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.

haproxy.geoip.continent_name: type: alias

alias to: source.geo.continent_name
haproxy.geoip.country_iso_code: type: alias

alias to: source.geo.country_iso_code
haproxy.geoip.location: type: alias

alias to: source.geo.location
haproxy.geoip.region_name: type: alias

alias to: source.geo.region_name
haproxy.geoip.city_name: type: alias

alias to: source.geo.city_name
haproxy.geoip.region_iso_code: type: alias

alias to: source.geo.region_iso_code

http

Please add description

response

Fields related to the HTTP response

haproxy.http.response.captured_cookie: Optional "name=value" entry indicating that the client had this cookie in the response.
haproxy.http.response.captured_headers: List of headers captured in the response due to the presence of the "capture response header" statement in the frontend.

type: keyword
haproxy.http.response.status_code: type: alias

alias to: http.response.status_code

request

Fields related to the HTTP request

haproxy.http.request.captured_cookie: Optional "name=value" entry indicating that the server has returned a cookie with its request.
haproxy.http.request.captured_headers: List of headers captured in the request due to the presence of the "capture request header" statement in the frontend.

type: keyword
haproxy.http.request.raw_request_line: Complete HTTP request line, including the method, request and HTTP version string.

type: keyword
haproxy.http.request.time_wait_without_data_ms: Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.

type: long
haproxy.http.request.time_wait_ms: Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received.

type: long

tcp

TCP log format

haproxy.tcp.connection_waiting_time_ms: Total time in milliseconds elapsed between the accept and the last close

type: long

Host fields

Info collected for the host machine.

host.containerized: If the host is a container.

type: boolean
host.os.build: OS build information.

type: keyword

example: 18D109
host.os.codename: OS codename, if any.

type: keyword

example: stretch

ibmmq fields

ibmmq Module

ibmmq

errorlog

IBM MQ error logs

ibmmq.errorlog.installation: This is the installation name which can be given at installation time. Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation.

type: keyword
ibmmq.errorlog.qmgr: Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them.

type: keyword
ibmmq.errorlog.arithinsert: Changing content based on error.id

type: keyword
ibmmq.errorlog.commentinsert: Changing content based on error.id

type: keyword
ibmmq.errorlog.errordescription: Please add description

type: text

example: Please add example
ibmmq.errorlog.explanation: Explaines the error in more detail

type: keyword
ibmmq.errorlog.action: Defines what to do when the error occurs

type: keyword
ibmmq.errorlog.code: Error code.

type: keyword

Icinga fields

Icinga Module

icinga

debug

Contains fields for the Icinga debug logs.

icinga.debug.facility: Specifies what component of Icinga logged the message.

type: keyword
icinga.debug.severity: type: alias

alias to: log.level
icinga.debug.message: type: alias

alias to: message

main

Contains fields for the Icinga main logs.

icinga.main.facility: Specifies what component of Icinga logged the message.

type: keyword
icinga.main.severity: type: alias

alias to: log.level
icinga.main.message: type: alias

alias to: message

startup

Contains fields for the Icinga startup logs.

icinga.startup.facility: Specifies what component of Icinga logged the message.

type: keyword
icinga.startup.severity: type: alias

alias to: log.level
icinga.startup.message: type: alias

alias to: message

IIS fields

Module for parsing IIS log files.

iis

Fields from IIS log files.

access

Contains fields for IIS access logs.

iis.access.sub_status: The HTTP substatus code.

type: long
iis.access.win32_status: The Windows status code.

type: long
iis.access.site_name: The site name and instance number.

type: keyword
iis.access.server_name: The name of the server on which the log file entry was generated.

type: keyword
iis.access.cookie: The content of the cookie sent or received, if any.

type: keyword
iis.access.body_received.bytes: type: alias

alias to: http.request.body.bytes
iis.access.body_sent.bytes: type: alias

alias to: http.response.body.bytes
iis.access.server_ip: type: alias

alias to: destination.address
iis.access.method: type: alias

alias to: http.request.method
iis.access.url: type: alias

alias to: url.path
iis.access.query_string: type: alias

alias to: url.query
iis.access.port: type: alias

alias to: destination.port
iis.access.user_name: type: alias

alias to: user.name
iis.access.remote_ip: type: alias

alias to: source.address
iis.access.referrer: type: alias

alias to: http.request.referrer
iis.access.response_code: type: alias

alias to: http.response.status_code
iis.access.http_version: type: alias

alias to: http.version
iis.access.hostname: type: alias

alias to: host.hostname
iis.access.user_agent.device: type: alias

alias to: user_agent.device.name
iis.access.user_agent.name: type: alias

alias to: user_agent.name
iis.access.user_agent.os: type: alias

alias to: user_agent.os.full_name
iis.access.user_agent.os_name: type: alias

alias to: user_agent.os.name
iis.access.user_agent.original: type: alias

alias to: user_agent.original
iis.access.geoip.continent_name: type: alias

alias to: source.geo.continent_name
iis.access.geoip.country_iso_code: type: alias

alias to: source.geo.country_iso_code
iis.access.geoip.location: type: alias

alias to: source.geo.location
iis.access.geoip.region_name: type: alias

alias to: source.geo.region_name
iis.access.geoip.city_name: type: alias

alias to: source.geo.city_name
iis.access.geoip.region_iso_code: type: alias

alias to: source.geo.region_iso_code

error

Contains fields for IIS error logs.

iis.error.reason_phrase: The HTTP reason phrase.

type: keyword
iis.error.queue_name: The IIS application pool name.

type: keyword
iis.error.remote_ip: type: alias

alias to: source.address
iis.error.remote_port: type: alias

alias to: source.port
iis.error.server_ip: type: alias

alias to: destination.address
iis.error.server_port: type: alias

alias to: destination.port
iis.error.http_version: type: alias

alias to: http.version
iis.error.method: type: alias

alias to: http.request.method
iis.error.url: type: alias

alias to: url.original
iis.error.response_code: type: alias

alias to: http.response.status_code
iis.error.geoip.continent_name: type: alias

alias to: source.geo.continent_name
iis.error.geoip.country_iso_code: type: alias

alias to: source.geo.country_iso_code
iis.error.geoip.location: type: alias

alias to: source.geo.location
iis.error.geoip.region_name: type: alias

alias to: source.geo.region_name
iis.error.geoip.city_name: type: alias

alias to: source.geo.city_name
iis.error.geoip.region_iso_code: type: alias

alias to: source.geo.region_iso_code

Imperva SecureSphere fields

imperva fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

Infoblox NIOS fields

infoblox fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

iptables fields

Module for handling the iptables logs.

iptables

Fields from the iptables logs.

iptables.ether_type: Value of the ethernet type field identifying the network layer protocol.

type: long
iptables.flow_label: IPv6 flow label.

type: integer
iptables.fragment_flags: IP fragment flags. A combination of CE, DF and MF.

type: keyword
iptables.fragment_offset: Offset of the current IP fragment.

type: long

icmp

ICMP fields.

iptables.icmp.code: ICMP code.

type: long
iptables.icmp.id: ICMP ID.

type: long
iptables.icmp.parameter: ICMP parameter.

type: long
iptables.icmp.redirect: ICMP redirect address.

type: ip
iptables.icmp.seq: ICMP sequence number.

type: long
iptables.icmp.type: ICMP type.

type: long
iptables.id: Packet identifier.

type: long
iptables.incomplete_bytes: Number of incomplete bytes.

type: long
iptables.input_device: Device that received the packet.

type: keyword
iptables.precedence_bits: IP precedence bits.

type: short
iptables.tos: IP Type of Service field.

type: long
iptables.length: Packet length.

type: long
iptables.output_device: Device that output the packet.

type: keyword

tcp

TCP fields.

iptables.tcp.flags: TCP flags.

type: keyword
iptables.tcp.reserved_bits: TCP reserved bits.

type: short
iptables.tcp.seq: TCP sequence number.

type: long
iptables.tcp.ack: TCP Acknowledgment number.

type: long
iptables.tcp.window: Advertised TCP window size.

type: long
iptables.ttl: Time To Live field.

type: integer

udp

UDP fields.

iptables.udp.length: Length of the UDP header and payload.

type: long

ubiquiti

Fields for Ubiquiti network devices.

iptables.ubiquiti.input_zone: Input zone.

type: keyword
iptables.ubiquiti.output_zone: Output zone.

type: keyword
iptables.ubiquiti.rule_number: The rule number within the rule set.

type: keyword
iptables.ubiquiti.rule_set: The rule set name.

type: keyword

Jolokia Discovery autodiscover provider fields

Metadata from Jolokia Discovery added by the jolokia provider.

jolokia.agent.version: Version number of jolokia agent.

type: keyword
jolokia.agent.id: Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.

type: keyword
jolokia.server.product: The container product if detected.

type: keyword
jolokia.server.version: The container’s version (if detected).

type: keyword
jolokia.server.vendor: The vendor of the container the agent is running in.

type: keyword
jolokia.url: The URL how this agent can be contacted.

type: keyword
jolokia.secured: Whether the agent was configured for authentication or not.

type: boolean

Juniper JUNOS fields

juniper fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

juniper.srx

Module for parsing junipersrx syslog.

juniper.srx.reason: reason

type: keyword
juniper.srx.connection_tag: connection tag

type: keyword
juniper.srx.service_name: service name

type: keyword
juniper.srx.nat_connection_tag: nat connection tag

type: keyword
juniper.srx.src_nat_rule_type: src nat rule type

type: keyword
juniper.srx.src_nat_rule_name: src nat rule name

type: keyword
juniper.srx.dst_nat_rule_type: dst nat rule type

type: keyword
juniper.srx.dst_nat_rule_name: dst nat rule name

type: keyword
juniper.srx.protocol_id: protocol id

type: keyword
juniper.srx.policy_name: policy name

type: keyword
juniper.srx.session_id_32: session id 32

type: keyword
juniper.srx.session_id: session id

type: keyword
juniper.srx.outbound_packets: packets from client

type: integer
juniper.srx.outbound_bytes: bytes from client

type: integer
juniper.srx.inbound_packets: packets from server

type: integer
juniper.srx.inbound_bytes: bytes from server

type: integer
juniper.srx.elapsed_time: elapsed time

type: date
juniper.srx.application: application

type: keyword
juniper.srx.nested_application: nested application

type: keyword
juniper.srx.username: username

type: keyword
juniper.srx.roles: roles

type: keyword
juniper.srx.encrypted: encrypted

type: keyword
juniper.srx.application_category: application category

type: keyword
juniper.srx.application_sub_category: application sub category

type: keyword
juniper.srx.application_characteristics: application characteristics

type: keyword
juniper.srx.secure_web_proxy_session_type: secure web proxy session type

type: keyword
juniper.srx.peer_session_id: peer session id

type: keyword
juniper.srx.peer_source_address: peer source address

type: ip
juniper.srx.peer_source_port: peer source port

type: integer
juniper.srx.peer_destination_address: peer destination address

type: ip
juniper.srx.peer_destination_port: peer destination port

type: integer
juniper.srx.hostname: hostname

type: keyword
juniper.srx.src_vrf_grp: src_vrf_grp

type: keyword
juniper.srx.dst_vrf_grp: dst_vrf_grp

type: keyword
juniper.srx.icmp_type: icmp type

type: integer
juniper.srx.process: process that generated the message

type: keyword
juniper.srx.apbr_rule_type: apbr rule type

type: keyword
juniper.srx.dscp_value: apbr rule type

type: integer
juniper.srx.logical_system_name: logical system name

type: keyword
juniper.srx.profile_name: profile name

type: keyword
juniper.srx.routing_instance: routing instance

type: keyword
juniper.srx.rule_name: rule name

type: keyword
juniper.srx.uplink_tx_bytes: uplink tx bytes

type: integer
juniper.srx.uplink_rx_bytes: uplink rx bytes

type: integer
juniper.srx.obj: url path

type: keyword
juniper.srx.url: url domain

type: keyword
juniper.srx.profile: filter profile

type: keyword
juniper.srx.category: filter category

type: keyword
juniper.srx.filename: filename

type: keyword
juniper.srx.temporary_filename: temporary_filename

type: keyword
juniper.srx.name: name

type: keyword
juniper.srx.error_message: error_message

type: keyword
juniper.srx.error_code: error_code

type: keyword
juniper.srx.action: action

type: keyword
juniper.srx.protocol: protocol

type: keyword
juniper.srx.protocol_name: protocol name

type: keyword
juniper.srx.type: type

type: keyword
juniper.srx.repeat_count: repeat count

type: integer
juniper.srx.alert: repeat alert

type: keyword
juniper.srx.message_type: message type

type: keyword
juniper.srx.threat_severity: threat severity

type: keyword
juniper.srx.application_name: application name

type: keyword
juniper.srx.attack_name: attack name

type: keyword
juniper.srx.index: index

type: keyword
juniper.srx.message: mesagge

type: keyword
juniper.srx.epoch_time: epoch time

type: date
juniper.srx.packet_log_id: packet log id

type: integer
juniper.srx.export_id: packet log id

type: integer
juniper.srx.ddos_application_name: ddos application name

type: keyword
juniper.srx.connection_hit_rate: connection hit rate

type: integer
juniper.srx.time_scope: time scope

type: keyword
juniper.srx.context_hit_rate: context hit rate

type: integer
juniper.srx.context_value_hit_rate: context value hit rate

type: integer
juniper.srx.time_count: time count

type: integer
juniper.srx.time_period: time period

type: integer
juniper.srx.context_value: context value

type: keyword
juniper.srx.context_name: context name

type: keyword
juniper.srx.ruleebase_name: ruleebase name

type: keyword
juniper.srx.verdict_source: verdict source

type: keyword
juniper.srx.verdict_number: verdict number

type: integer
juniper.srx.file_category: file category

type: keyword
juniper.srx.sample_sha256: sample sha256

type: keyword
juniper.srx.malware_info: malware info

type: keyword
juniper.srx.client_ip: client ip

type: ip
juniper.srx.tenant_id: tenant id

type: keyword
juniper.srx.timestamp: timestamp

type: date
juniper.srx.th: th

type: keyword
juniper.srx.status: status

type: keyword
juniper.srx.state: state

type: keyword
juniper.srx.file_hash_lookup: file hash lookup

type: keyword
juniper.srx.file_name: file name

type: keyword
juniper.srx.action_detail: action detail

type: keyword
juniper.srx.sub_category: sub category

type: keyword
juniper.srx.feed_name: feed name

type: keyword
juniper.srx.occur_count: occur count

type: integer
juniper.srx.tag: system log message tag, which uniquely identifies the message.

type: keyword

Kafka fields

Kafka module

kafka

log

Kafka log lines.

kafka.log.component: Component the log is coming from.

type: keyword
kafka.log.class: Java class the log is coming from.

type: keyword
kafka.log.thread: Thread name the log is coming from.

type: keyword

trace

Trace in the log line.

kafka.log.trace.class: Java class the trace is coming from.

type: keyword
kafka.log.trace.message: Message part of the trace.

type: text

kibana fields

kibana Module

service.node.roles: type: keyword

kibana

Module for parsing Kibana logs.

kibana.session_id: The ID of the user session associated with this event. Each login attempt results in a unique session id.

type: keyword

example: 123e4567-e89b-12d3-a456-426614174000
kibana.space_id: The id of the space associated with this event.

type: keyword

example: default
kibana.saved_object.type: The type of the saved object associated with this event.

type: keyword

example: dashboard
kibana.saved_object.id: The id of the saved object associated with this event.

type: keyword

example: 6295bdd0-0a0e-11e7-825f-6748cda7d858
kibana.add_to_spaces: The set of space ids that a saved object was shared to.

type: keyword

example: ['default', 'marketing']
kibana.delete_from_spaces: The set of space ids that a saved object was removed from.

type: keyword

example: ['default', 'marketing']
kibana.authentication_provider: The authentication provider associated with a login event.

type: keyword

example: basic1
kibana.authentication_type: The authentication provider type associated with a login event.

type: keyword

example: basic
kibana.authentication_realm: The Elasticsearch authentication realm name which fulfilled a login event.

type: keyword

example: native
kibana.lookup_realm: The Elasticsearch lookup realm which fulfilled a login event.

type: keyword

example: native

log

Kibana log lines.

kibana.log.tags: Kibana logging tags.

type: keyword
kibana.log.state: Current state of Kibana.

type: keyword
kibana.log.meta: type: object
kibana.log.meta.req.headers: type: flattened
kibana.log.meta.res.headers: type: flattened

Kubernetes fields

Kubernetes metadata added by the kubernetes processor

kubernetes.pod.name: Kubernetes pod name

type: keyword
kubernetes.pod.uid: Kubernetes Pod UID

type: keyword
kubernetes.pod.ip: Kubernetes Pod IP

type: ip
kubernetes.namespace: Kubernetes namespace

type: keyword
kubernetes.node.name: Kubernetes node name

type: keyword
kubernetes.node.hostname: Kubernetes hostname as reported by the node’s kernel

type: keyword
kubernetes.labels.*: Kubernetes labels map

type: object
kubernetes.annotations.*: Kubernetes annotations map

type: object
kubernetes.selectors.*: Kubernetes selectors map

type: object
kubernetes.replicaset.name: Kubernetes replicaset name

type: keyword
kubernetes.deployment.name: Kubernetes deployment name

type: keyword
kubernetes.statefulset.name: Kubernetes statefulset name

type: keyword
kubernetes.container.name: Kubernetes container name (different than the name from the runtime)

type: keyword

Log file content fields

Contains log file lines.

log.source.address: Source address from which the log event was read / sent from.

type: keyword

required: False
log.offset: The file offset the reported line starts at.

type: long

required: False
stream: Log stream when reading container logs, can be 'stdout' or 'stderr'

type: keyword

required: False
input.type: The input type from which the event was generated. This field is set to the value specified for the type option in the input section of the Filebeat config file.

required: True
syslog.facility: The facility extracted from the priority.

type: long

required: False
syslog.priority: The priority of the syslog event.

type: long

required: False
syslog.severity_label: The human readable severity.

type: keyword

required: False
syslog.facility_label: The human readable facility.

type: keyword

required: False
process.program: The name of the program.

type: keyword

required: False
log.flags: This field contains the flags of the event.
http.response.content_length: type: alias

alias to: http.response.body.bytes
user_agent.os.full_name: type: keyword
fileset.name: The Filebeat fileset that generated this event.

type: keyword
fileset.module: type: alias

alias to: event.module
read_timestamp: type: alias

alias to: event.created
docker.attrs: docker.attrs contains labels and environment variables written by docker’s JSON File logging driver. These fields are only available when they are configured in the logging driver options.

type: object
icmp.code: ICMP code.

type: keyword
icmp.type: ICMP type.

type: keyword
igmp.type: IGMP type.

type: keyword
azure.eventhub: Name of the eventhub.

type: keyword
azure.offset: The offset.

type: long
azure.enqueued_time: The enqueued time.

type: date
azure.partition_id: The partition id.

type: long
azure.consumer_group: The consumer group.

type: keyword
azure.sequence_number: The sequence number.

type: long
kafka.topic: Kafka topic

type: keyword
kafka.partition: Kafka partition number

type: long
kafka.offset: Kafka offset of this message

type: long
kafka.key: Kafka key, corresponding to the Kafka value stored in the message

type: keyword
kafka.block_timestamp: Kafka outer (compressed) block timestamp

type: date
kafka.headers: An array of Kafka header strings for this message, in the form "<key>: <value>".

type: array

logstash fields

logstash Module

logstash

log

Fields from the Logstash logs.

logstash.log.module: The module or class where the event originate.

type: keyword
logstash.log.thread: Information about the running thread where the log originate.

type: keyword
logstash.log.thread.text: type: text
logstash.log.log_event: key and value debugging information.

type: object
logstash.log.log_event.action: type: keyword
logstash.log.pipeline_id: The ID of the pipeline.

type: keyword

example: main
logstash.log.message: type: alias

alias to: message
logstash.log.level: type: alias

alias to: log.level

slowlog

logstash.slowlog.module: The module or class where the event originate.

type: keyword
logstash.slowlog.thread: Information about the running thread where the log originate.

type: keyword
logstash.slowlog.thread.text: type: text
logstash.slowlog.event: Raw dump of the original event

type: keyword
logstash.slowlog.event.text: type: text
logstash.slowlog.plugin_name: Name of the plugin

type: keyword
logstash.slowlog.plugin_type: Type of the plugin: Inputs, Filters, Outputs or Codecs.

type: keyword
logstash.slowlog.took_in_millis: Execution time for the plugin in milliseconds.

type: long
logstash.slowlog.plugin_params: String value of the plugin configuration

type: keyword
logstash.slowlog.plugin_params.text: type: text
logstash.slowlog.plugin_params_object: key → value of the configuration used by the plugin.

type: object
logstash.slowlog.level: type: alias

alias to: log.level
logstash.slowlog.took_in_nanos: type: alias

alias to: event.duration

Lumberjack fields

Fields from Lumberjack input.

lumberjack: Structured data received in an event sent over the Lumberjack protocol.

type: flattened

Microsoft fields

Microsoft Module

microsoft.defender_atp

Module for ingesting Microsoft Defender ATP.

microsoft.defender_atp.lastUpdateTime: The date and time (in UTC) the alert was last updated.

type: date
microsoft.defender_atp.resolvedTime: The date and time in which the status of the alert was changed to 'Resolved'.

type: date
microsoft.defender_atp.incidentId: The Incident ID of the Alert.

type: keyword
microsoft.defender_atp.investigationId: The Investigation ID related to the Alert.

type: keyword
microsoft.defender_atp.investigationState: The current state of the Investigation.

type: keyword
microsoft.defender_atp.assignedTo: Owner of the alert.

type: keyword
microsoft.defender_atp.status: Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.

type: keyword
microsoft.defender_atp.classification: Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.

type: keyword
microsoft.defender_atp.determination: Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.

type: keyword
microsoft.defender_atp.threatFamilyName: Threat family.

type: keyword
microsoft.defender_atp.rbacGroupName: User group related to the alert

type: keyword
microsoft.defender_atp.evidence.domainName: Domain name related to the alert

type: keyword
microsoft.defender_atp.evidence.ipAddress: IP address involved in the alert

type: ip
microsoft.defender_atp.evidence.aadUserId: ID of the user involved in the alert

type: keyword
microsoft.defender_atp.evidence.accountName: Username of the user involved in the alert

type: keyword
microsoft.defender_atp.evidence.entityType: The type of evidence

type: keyword
microsoft.defender_atp.evidence.userPrincipalName: Principal name of the user involved in the alert

type: keyword
network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

microsoft.m365_defender

Module for ingesting Microsoft Defender ATP.

microsoft.m365_defender.incidentId: Unique identifier to represent the incident.

type: keyword
microsoft.m365_defender.redirectIncidentId: Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic.

type: keyword
microsoft.m365_defender.incidentName: Name of the Incident.

type: keyword
microsoft.m365_defender.determination: Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other.

type: keyword
microsoft.m365_defender.investigationState: The current state of the Investigation.

type: keyword
microsoft.m365_defender.assignedTo: Owner of the alert.

type: keyword
microsoft.m365_defender.tags: Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic.

type: keyword
microsoft.m365_defender.status: Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.

type: keyword
microsoft.m365_defender.classification: Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.

type: keyword
microsoft.m365_defender.alerts.incidentId: Unique identifier to represent the incident this alert is associated with.

type: keyword
microsoft.m365_defender.alerts.resolvedTime: Time when alert was resolved.

type: date
microsoft.m365_defender.alerts.status: Categorize alerts (as New, Active, or Resolved).

type: keyword
microsoft.m365_defender.alerts.severity: The severity of the related alert.

type: keyword
microsoft.m365_defender.alerts.creationTime: Time when alert was first created.

type: date
microsoft.m365_defender.alerts.lastUpdatedTime: Time when alert was last updated.

type: date
microsoft.m365_defender.alerts.investigationId: The automated investigation id triggered by this alert.

type: keyword
microsoft.m365_defender.alerts.userSid: The SID of the related user

type: keyword
microsoft.m365_defender.alerts.detectionSource: The service that initially detected the threat.

type: keyword
microsoft.m365_defender.alerts.classification: The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive or null.

type: keyword
microsoft.m365_defender.alerts.investigationState: Information on the investigation’s current status.

type: keyword
microsoft.m365_defender.alerts.determination: Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null

type: keyword
microsoft.m365_defender.alerts.assignedTo: Owner of the incident, or null if no owner is assigned.

type: keyword
microsoft.m365_defender.alerts.actorName: The activity group, if any, the associated with this alert.

type: keyword
microsoft.m365_defender.alerts.threatFamilyName: Threat family associated with this alert.

type: keyword
microsoft.m365_defender.alerts.mitreTechniques: The attack techniques, as aligned with the MITRE ATT&CK™ framework.

type: keyword
microsoft.m365_defender.alerts.entities.entityType: Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry.

type: keyword
microsoft.m365_defender.alerts.entities.accountName: Account name of the related user.

type: keyword
microsoft.m365_defender.alerts.entities.mailboxDisplayName: The display name of the related mailbox.

type: keyword
microsoft.m365_defender.alerts.entities.mailboxAddress: The mail address of the related mailbox.

type: keyword
microsoft.m365_defender.alerts.entities.clusterBy: A list of metadata if the entityType is MailCluster.

type: keyword
microsoft.m365_defender.alerts.entities.sender: The sender for the related email message.

type: keyword
microsoft.m365_defender.alerts.entities.recipient: The recipient for the related email message.

type: keyword
microsoft.m365_defender.alerts.entities.subject: The subject for the related email message.

type: keyword
microsoft.m365_defender.alerts.entities.deliveryAction: The delivery status for the related email message.

type: keyword
microsoft.m365_defender.alerts.entities.securityGroupId: The Security Group ID for the user related to the email message.

type: keyword
microsoft.m365_defender.alerts.entities.securityGroupName: The Security Group Name for the user related to the email message.

type: keyword
microsoft.m365_defender.alerts.entities.registryHive: Reference to which Hive in registry the event is related to, if eventType is registry. Example: HKEY_LOCAL_MACHINE.

type: keyword
microsoft.m365_defender.alerts.entities.registryKey: Reference to the related registry key to the event.

type: keyword
microsoft.m365_defender.alerts.entities.registryValueType: Value type of the registry key/value pair related to the event.

type: keyword
microsoft.m365_defender.alerts.entities.deviceId: The unique ID of the device related to the event.

type: keyword
microsoft.m365_defender.alerts.entities.ipAddress: The related IP address to the event.

type: keyword
microsoft.m365_defender.alerts.devices: The devices related to the investigation.

type: flattened

MISP fields

Module for handling threat information from MISP.

misp

Fields from MISP threat information.

attack_pattern

Fields provide support for specifying information about attack patterns.

misp.attack_pattern.id: Identifier of the threat indicator.

type: keyword
misp.attack_pattern.name: Name of the attack pattern.

type: keyword
misp.attack_pattern.description: Description of the attack pattern.

type: text
misp.attack_pattern.kill_chain_phases: The kill chain phase(s) to which this attack pattern corresponds.

type: keyword

campaign

Fields provide support for specifying information about campaigns.

misp.campaign.id: Identifier of the campaign.

type: keyword
misp.campaign.name: Name of the campaign.

type: keyword
misp.campaign.description: Description of the campaign.

type: text
misp.campaign.aliases: Alternative names used to identify this campaign.

type: text
misp.campaign.first_seen: The time that this Campaign was first seen, in RFC3339 format.

type: date
misp.campaign.last_seen: The time that this Campaign was last seen, in RFC3339 format.

type: date
misp.campaign.objective: This field defines the Campaign’s primary goal, objective, desired outcome, or intended effect.

type: keyword

course_of_action

A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress.

misp.course_of_action.id: Identifier of the Course of Action.

type: keyword
misp.course_of_action.name: The name used to identify the Course of Action.

type: keyword
misp.course_of_action.description: Description of the Course of Action.

type: text

identity

Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups.

misp.identity.id: Identifier of the Identity.

type: keyword
misp.identity.name: The name used to identify the Identity.

type: keyword
misp.identity.description: Description of the Identity.

type: text
misp.identity.identity_class: The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov

type: keyword
misp.identity.labels: The list of roles that this Identity performs.

type: keyword

example: CEO
misp.identity.sectors: The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov

type: keyword
misp.identity.contact_information: The contact information (e-mail, phone number, etc.) for this Identity.

type: text

intrusion_set

An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization.

misp.intrusion_set.id: Identifier of the Intrusion Set.

type: keyword
misp.intrusion_set.name: The name used to identify the Intrusion Set.

type: keyword
misp.intrusion_set.description: Description of the Intrusion Set.

type: text
misp.intrusion_set.aliases: Alternative names used to identify the Intrusion Set.

type: text
misp.intrusion_set.first_seen: The time that this Intrusion Set was first seen, in RFC3339 format.

type: date
misp.intrusion_set.last_seen: The time that this Intrusion Set was last seen, in RFC3339 format.

type: date
misp.intrusion_set.goals: The high level goals of this Intrusion Set, namely, what are they trying to do.

type: text
misp.intrusion_set.resource_level: This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov

type: text
misp.intrusion_set.primary_motivation: The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov

type: text
misp.intrusion_set.secondary_motivations: The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov

type: text

malware

Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.

misp.malware.id: Identifier of the Malware.

type: keyword
misp.malware.name: The name used to identify the Malware.

type: keyword
misp.malware.description: Description of the Malware.

type: text
misp.malware.labels: The type of malware being described. Open Vocab - malware-label-ov. adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm

type: keyword
misp.malware.kill_chain_phases: The list of kill chain phases for which this Malware instance can be used.

type: keyword

format: string

note

A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object.

misp.note.id: Identifier of the Note.

type: keyword
misp.note.summary: A brief description used as a summary of the Note.

type: keyword
misp.note.description: The content of the Note.

type: text
misp.note.authors: The name of the author(s) of this Note.

type: keyword
misp.note.object_refs: The STIX Objects (SDOs and SROs) that the note is being applied to.

type: keyword

threat_indicator

Fields provide support for specifying information about threat indicators, and related matching patterns.

misp.threat_indicator.labels: list of type open-vocab that specifies the type of indicator.

type: keyword

example: Domain Watchlist
misp.threat_indicator.id: Identifier of the threat indicator.

type: keyword
misp.threat_indicator.version: Version of the threat indicator.

type: keyword
misp.threat_indicator.type: Type of the threat indicator.

type: keyword
misp.threat_indicator.description: Description of the threat indicator.

type: text
misp.threat_indicator.feed: Name of the threat feed.

type: text
misp.threat_indicator.valid_from: The time from which this Indicator should be considered valuable intelligence, in RFC3339 format.

type: date
misp.threat_indicator.valid_until: The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format.

type: date
misp.threat_indicator.severity: Threat severity to which this indicator corresponds.

type: keyword

example: high

format: string
misp.threat_indicator.confidence: Confidence level to which this indicator corresponds.

type: keyword

example: high
misp.threat_indicator.kill_chain_phases: The kill chain phase(s) to which this indicator corresponds.

type: keyword

format: string
misp.threat_indicator.mitre_tactic: MITRE tactics to which this indicator corresponds.

type: keyword

example: Initial Access

format: string
misp.threat_indicator.mitre_technique: MITRE techniques to which this indicator corresponds.

type: keyword

example: Drive-by Compromise

format: string
misp.threat_indicator.attack_pattern: The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning.

type: keyword

example: [destination:ip = '91.219.29.188/32']
misp.threat_indicator.attack_pattern_kql: The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format.

type: keyword

example: destination.ip: "91.219.29.188/32"
misp.threat_indicator.negate: When set to true, it specifies the absence of the attack_pattern.

type: boolean
misp.threat_indicator.intrusion_set: Name of the intrusion set if known.

type: keyword
misp.threat_indicator.campaign: Name of the attack campaign if known.

type: keyword
misp.threat_indicator.threat_actor: Name of the threat actor if known.

type: keyword

observed_data

Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification.

misp.observed_data.id: Identifier of the Observed Data.

type: keyword
misp.observed_data.first_observed: The beginning of the time window that the data was observed, in RFC3339 format.

type: date
misp.observed_data.last_observed: The end of the time window that the data was observed, in RFC3339 format.

type: date
misp.observed_data.number_observed: The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive.

type: integer
misp.observed_data.objects: A dictionary of Cyber Observable Objects that describes the single fact that was observed.

type: keyword

report

Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.

misp.report.id: Identifier of the Report.

type: keyword
misp.report.labels: This field is an Open Vocabulary that specifies the primary subject of this report. Open Vocab - report-label-ov. threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability

type: keyword
misp.report.name: The name used to identify the Report.

type: keyword
misp.report.description: A description that provides more details and context about Report.

type: text
misp.report.published: The date that this report object was officially published by the creator of this report, in RFC3339 format.

type: date
misp.report.object_refs: Specifies the STIX Objects that are referred to by this Report.

type: text

threat_actor

Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent.

misp.threat_actor.id: Identifier of the Threat Actor.

type: keyword
misp.threat_actor.labels: This field specifies the type of threat actor. Open Vocab - threat-actor-label-ov. activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist

type: keyword
misp.threat_actor.name: The name used to identify this Threat Actor or Threat Actor group.

type: keyword
misp.threat_actor.description: A description that provides more details and context about the Threat Actor.

type: text
misp.threat_actor.aliases: A list of other names that this Threat Actor is believed to use.

type: text
misp.threat_actor.roles: This is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov. agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author

type: text
misp.threat_actor.goals: The high level goals of this Threat Actor, namely, what are they trying to do.

type: text
misp.threat_actor.sophistication: The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov. none,minimal,intermediate,advanced,strategic,expert,innovator

type: text
misp.threat_actor.resource_level: This defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov. individual,club,contest,team,organization,government

type: text
misp.threat_actor.primary_motivation: The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable

type: text
misp.threat_actor.secondary_motivations: The secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable

type: text
misp.threat_actor.personal_motivations: The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable

type: text

tool

Tools are legitimate software that can be used by threat actors to perform attacks.

misp.tool.id: Identifier of the Tool.

type: keyword
misp.tool.labels: The kind(s) of tool(s) being described. Open Vocab - tool-label-ov. denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning

type: keyword
misp.tool.name: The name used to identify the Tool.

type: keyword
misp.tool.description: A description that provides more details and context about the Tool.

type: text
misp.tool.tool_version: The version identifier associated with the Tool.

type: keyword
misp.tool.kill_chain_phases: The list of kill chain phases for which this Tool instance can be used.

type: text

vulnerability

A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.

misp.vulnerability.id: Identifier of the Vulnerability.

type: keyword
misp.vulnerability.name: The name used to identify the Vulnerability.

type: keyword
misp.vulnerability.description: A description that provides more details and context about the Vulnerability.

type: text

mongodb fields

Module for parsing MongoDB log files.

mongodb

Fields from MongoDB logs.

log

Contains fields from MongoDB logs.

mongodb.log.component: Functional categorization of message

type: keyword

example: COMMAND
mongodb.log.context: Context of message

type: keyword

example: initandlisten
mongodb.log.severity: type: alias

alias to: log.level
mongodb.log.message: type: alias

alias to: message
mongodb.log.id: Integer representing the unique identifier of the log statement

type: long

example: 4615611

mssql fields

MS SQL Filebeat Module

mssql

Fields from the MSSQL log files

log

Common log fields

mssql.log.origin: Origin of the message, usually the server but it can also be a recovery process

type: keyword

MySQL fields

Module for parsing the MySQL log files.

mysql

Fields from the MySQL log files.

mysql.thread_id: The connection or thread ID for the query.

type: long

error

Contains fields from the MySQL error logs.

mysql.error.thread_id: type: alias

alias to: mysql.thread_id
mysql.error.level: type: alias

alias to: log.level
mysql.error.message: type: alias

alias to: message

slowlog

Contains fields from the MySQL slow logs.

mysql.slowlog.lock_time.sec: The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number.

type: float
mysql.slowlog.rows_sent: The number of rows returned by the query.

type: long
mysql.slowlog.rows_examined: The number of rows scanned by the query.

type: long
mysql.slowlog.rows_affected: The number of rows modified by the query.

type: long
mysql.slowlog.bytes_sent: The number of bytes sent to client.

type: long

format: bytes
mysql.slowlog.bytes_received: The number of bytes received from client.

type: long

format: bytes
mysql.slowlog.query: The slow query.
mysql.slowlog.id: type: alias

alias to: mysql.thread_id
mysql.slowlog.schema: The schema where the slow query was executed.

type: keyword
mysql.slowlog.current_user: Current authenticated user, used to determine access privileges. Can differ from the value for user.

type: keyword
mysql.slowlog.last_errno: Last SQL error seen.

type: keyword
mysql.slowlog.killed: Code of the reason if the query was killed.

type: keyword
mysql.slowlog.query_cache_hit: Whether the query cache was hit.

type: boolean
mysql.slowlog.tmp_table: Whether a temporary table was used to resolve the query.

type: boolean
mysql.slowlog.tmp_table_on_disk: Whether the query needed temporary tables on disk.

type: boolean
mysql.slowlog.tmp_tables: Number of temporary tables created for this query

type: long
mysql.slowlog.tmp_disk_tables: Number of temporary tables created on disk for this query.

type: long
mysql.slowlog.tmp_table_sizes: Size of temporary tables created for this query.

type: long

format: bytes
mysql.slowlog.filesort: Whether filesort optimization was used.

type: boolean
mysql.slowlog.filesort_on_disk: Whether filesort optimization was used and it needed temporary tables on disk.

type: boolean
mysql.slowlog.priority_queue: Whether a priority queue was used for filesort.

type: boolean
mysql.slowlog.full_scan: Whether a full table scan was needed for the slow query.

type: boolean
mysql.slowlog.full_join: Whether a full join was needed for the slow query (no indexes were used for joins).

type: boolean
mysql.slowlog.merge_passes: Number of merge passes executed for the query.

type: long
mysql.slowlog.sort_merge_passes: Number of merge passes that the sort algorithm has had to do.

type: long
mysql.slowlog.sort_range_count: Number of sorts that were done using ranges.

type: long
mysql.slowlog.sort_rows: Number of sorted rows.

type: long
mysql.slowlog.sort_scan_count: Number of sorts that were done by scanning the table.

type: long
mysql.slowlog.log_slow_rate_type: Type of slow log rate limit, it can be session if the rate limit is applied per session, or query if it applies per query.

type: keyword
mysql.slowlog.log_slow_rate_limit: Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged.

type: keyword
mysql.slowlog.read_first: The number of times the first entry in an index was read.

type: long
mysql.slowlog.read_last: The number of times the last key in an index was read.

type: long
mysql.slowlog.read_key: The number of requests to read a row based on a key.

type: long
mysql.slowlog.read_next: The number of requests to read the next row in key order.

type: long
mysql.slowlog.read_prev: The number of requests to read the previous row in key order.

type: long
mysql.slowlog.read_rnd: The number of requests to read a row based on a fixed position.

type: long
mysql.slowlog.read_rnd_next: The number of requests to read the next row in the data file.

type: long

innodb

Contains fields relative to InnoDB engine

mysql.slowlog.innodb.trx_id: Transaction ID

type: keyword
mysql.slowlog.innodb.io_r_ops: Number of page read operations.

type: long
mysql.slowlog.innodb.io_r_bytes: Bytes read during page read operations.

type: long

format: bytes
mysql.slowlog.innodb.io_r_wait.sec: How long it took to read all needed data from storage.

type: long
mysql.slowlog.innodb.rec_lock_wait.sec: How long the query waited for locks.

type: long
mysql.slowlog.innodb.queue_wait.sec: How long the query waited to enter the InnoDB queue and to be executed once in the queue.

type: long
mysql.slowlog.innodb.pages_distinct: Approximated count of pages accessed to execute the query.

type: long
mysql.slowlog.user: type: alias

alias to: user.name
mysql.slowlog.host: type: alias

alias to: source.domain
mysql.slowlog.ip: type: alias

alias to: source.ip

MySQL Enterprise fields

MySQL Enterprise Audit module

mysqlenterprise

Fields from MySQL Enterprise Logs

audit

Module for parsing MySQL Enterprise Audit Logs

mysqlenterprise.audit.class: A string representing the event class. The class defines the type of event, when taken together with the event item that specifies the event subclass.

type: keyword
mysqlenterprise.audit.connection_id: An integer representing the client connection identifier. This is the same as the value returned by the CONNECTION_ID() function within the session.

type: keyword
mysqlenterprise.audit.id: An unsigned integer representing an event ID.

type: keyword
mysqlenterprise.audit.connection_data.connection_type: The security state of the connection to the server. Permitted values are tcp/ip (TCP/IP connection established without encryption), ssl (TCP/IP connection established with encryption), socket (Unix socket file connection), named_pipe (Windows named pipe connection), and shared_memory (Windows shared memory connection).

type: keyword
mysqlenterprise.audit.connection_data.status: An integer representing the command status: 0 for success, nonzero if an error occurred.

type: long
mysqlenterprise.audit.connection_data.db: A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.

type: keyword
mysqlenterprise.audit.connection_data.connection_attributes: Connection attributes that might be passed by different MySQL Clients.

type: flattened
mysqlenterprise.audit.general_data.command: A string representing the type of instruction that generated the audit event, such as a command that the server received from a client.

type: keyword
mysqlenterprise.audit.general_data.sql_command: A string that indicates the SQL statement type.

type: keyword
mysqlenterprise.audit.general_data.query: A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.

type: keyword
mysqlenterprise.audit.general_data.status: An integer representing the command status: 0 for success, nonzero if an error occurred. This is the same as the value of the mysql_errno() C API function.

type: long
mysqlenterprise.audit.login.user: A string representing the information indicating how a client connected to the server.

type: keyword
mysqlenterprise.audit.login.proxy: A string representing the proxy user. The value is empty if user proxying is not in effect.

type: keyword
mysqlenterprise.audit.shutdown_data.server_id: An integer representing the server ID. This is the same as the value of the server_id system variable.

type: keyword
mysqlenterprise.audit.startup_data.server_id: An integer representing the server ID. This is the same as the value of the server_id system variable.

type: keyword
mysqlenterprise.audit.startup_data.mysql_version: An integer representing the server ID. This is the same as the value of the server_id system variable.

type: keyword
mysqlenterprise.audit.table_access_data.db: A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.

type: keyword
mysqlenterprise.audit.table_access_data.table: A string representing a table name.

type: keyword
mysqlenterprise.audit.table_access_data.query: A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.

type: keyword
mysqlenterprise.audit.table_access_data.sql_command: A string that indicates the SQL statement type.

type: keyword
mysqlenterprise.audit.account.user: A string representing the user that the server authenticated the client as. This is the user name that the server uses for privilege checking.

type: keyword
mysqlenterprise.audit.account.host: A string representing the client host name.

type: keyword
mysqlenterprise.audit.login.os: A string representing the external user name used during the authentication process, as set by the plugin used to authenticate the client.

type: keyword

NATS fields

Module for parsing NATS log files.

nats

Fields from NATS logs.

log

Nats log files

client

Fields from NATS logs client.

nats.log.client.id: The id of the client

type: integer

msg

Fields from NATS logs message.

nats.log.msg.bytes: Size of the payload in bytes

type: long

format: bytes
nats.log.msg.type: The protocol message type

type: keyword
nats.log.msg.subject: Subject name this message was received on

type: keyword
nats.log.msg.sid: The unique alphanumeric subscription ID of the subject

type: integer
nats.log.msg.reply_to: The inbox subject on which the publisher is listening for responses

type: keyword
nats.log.msg.max_messages: An optional number of messages to wait for before automatically unsubscribing

type: integer
nats.log.msg.error.message: Details about the error occurred

type: text
nats.log.msg.queue_group: The queue group which subscriber will join

type: text

NetFlow fields

Fields from NetFlow and IPFIX flows.

netflow

Fields from NetFlow and IPFIX.

netflow.type: The type of NetFlow record described by this event.

type: keyword

exporter

Metadata related to the exporter device that generated this record.

netflow.exporter.address: Exporter’s network address in IP:port format.

type: keyword
netflow.exporter.source_id: Observation domain ID to which this record belongs.

type: long
netflow.exporter.timestamp: Time and date of export.

type: date
netflow.exporter.uptime_millis: How long the exporter process has been running, in milliseconds.

type: long
netflow.exporter.version: NetFlow version used.

type: integer
netflow.absolute_error: type: double
netflow.address_pool_high_threshold: type: long
netflow.address_pool_low_threshold: type: long
netflow.address_port_mapping_high_threshold: type: long
netflow.address_port_mapping_low_threshold: type: long
netflow.address_port_mapping_per_user_high_threshold: type: long
netflow.afc_protocol: type: integer
netflow.afc_protocol_name: type: keyword
netflow.anonymization_flags: type: integer
netflow.anonymization_technique: type: integer
netflow.application_business-relevance: type: long
netflow.application_category_name: type: keyword
netflow.application_description: type: keyword
netflow.application_group_name: type: keyword
netflow.application_http_uri_statistics: type: short
netflow.application_http_user-agent: type: short
netflow.application_id: type: short
netflow.application_name: type: keyword
netflow.application_sub_category_name: type: keyword
netflow.application_traffic-class: type: long
netflow.art_client_network_time_maximum: type: long
netflow.art_client_network_time_minimum: type: long
netflow.art_client_network_time_sum: type: long
netflow.art_clientpackets: type: long
netflow.art_count_late_responses: type: long
netflow.art_count_new_connections: type: long
netflow.art_count_responses: type: long
netflow.art_count_responses_histogram_bucket1: type: long
netflow.art_count_responses_histogram_bucket2: type: long
netflow.art_count_responses_histogram_bucket3: type: long
netflow.art_count_responses_histogram_bucket4: type: long
netflow.art_count_responses_histogram_bucket5: type: long
netflow.art_count_responses_histogram_bucket6: type: long
netflow.art_count_responses_histogram_bucket7: type: long
netflow.art_count_retransmissions: type: long
netflow.art_count_transactions: type: long
netflow.art_network_time_maximum: type: long
netflow.art_network_time_minimum: type: long
netflow.art_network_time_sum: type: long
netflow.art_response_time_maximum: type: long
netflow.art_response_time_minimum: type: long
netflow.art_response_time_sum: type: long
netflow.art_server_network_time_maximum: type: long
netflow.art_server_network_time_minimum: type: long
netflow.art_server_network_time_sum: type: long
netflow.art_server_response_time_maximum: type: long
netflow.art_server_response_time_minimum: type: long
netflow.art_server_response_time_sum: type: long
netflow.art_serverpackets: type: long
netflow.art_total_response_time_maximum: type: long
netflow.art_total_response_time_minimum: type: long
netflow.art_total_response_time_sum: type: long
netflow.art_total_transaction_time_maximum: type: long
netflow.art_total_transaction_time_minimum: type: long
netflow.art_total_transaction_time_sum: type: long
netflow.assembled_fragment_count: type: long
netflow.audit_counter: type: long
netflow.average_interarrival_time: type: long
netflow.bgp_destination_as_number: type: long
netflow.bgp_next_adjacent_as_number: type: long
netflow.bgp_next_hop_ipv4_address: type: ip
netflow.bgp_next_hop_ipv6_address: type: ip
netflow.bgp_prev_adjacent_as_number: type: long
netflow.bgp_source_as_number: type: long
netflow.bgp_validity_state: type: short
netflow.biflow_direction: type: short
netflow.bind_ipv4_address: type: ip
netflow.bind_transport_port: type: integer
netflow.class_id: type: long
netflow.class_name: type: keyword
netflow.classification_engine_id: type: short
netflow.collection_time_milliseconds: type: date
netflow.collector_certificate: type: short
netflow.collector_ipv4_address: type: ip
netflow.collector_ipv6_address: type: ip
netflow.collector_transport_port: type: integer
netflow.common_properties_id: type: long
netflow.confidence_level: type: double
netflow.conn_ipv4_address: type: ip
netflow.conn_transport_port: type: integer
netflow.connection_sum_duration_seconds: type: long
netflow.connection_transaction_id: type: long
netflow.conntrack_id: type: long
netflow.data_byte_count: type: long
netflow.data_link_frame_section: type: short
netflow.data_link_frame_size: type: integer
netflow.data_link_frame_type: type: integer
netflow.data_records_reliability: type: boolean
netflow.delta_flow_count: type: long
netflow.destination_ipv4_address: type: ip
netflow.destination_ipv4_prefix: type: ip
netflow.destination_ipv4_prefix_length: type: short
netflow.destination_ipv6_address: type: ip
netflow.destination_ipv6_prefix: type: ip
netflow.destination_ipv6_prefix_length: type: short
netflow.destination_mac_address: type: keyword
netflow.destination_transport_port: type: integer
netflow.digest_hash_value: type: long
netflow.distinct_count_of_destination_ip_address: type: long
netflow.distinct_count_of_destination_ipv4_address: type: long
netflow.distinct_count_of_destination_ipv6_address: type: long
netflow.distinct_count_of_source_ip_address: type: long
netflow.distinct_count_of_source_ipv4_address: type: long
netflow.distinct_count_of_source_ipv6_address: type: long
netflow.dns_authoritative: type: short
netflow.dns_cname: type: keyword
netflow.dns_id: type: integer
netflow.dns_mx_exchange: type: keyword
netflow.dns_mx_preference: type: integer
netflow.dns_nsd_name: type: keyword
netflow.dns_nx_domain: type: short
netflow.dns_ptrd_name: type: keyword
netflow.dns_qname: type: keyword
netflow.dns_qr_type: type: integer
netflow.dns_query_response: type: short
netflow.dns_rr_section: type: short
netflow.dns_soa_expire: type: long
netflow.dns_soa_minimum: type: long
netflow.dns_soa_refresh: type: long
netflow.dns_soa_retry: type: long
netflow.dns_soa_serial: type: long
netflow.dns_soam_name: type: keyword
netflow.dns_soar_name: type: keyword
netflow.dns_srv_port: type: integer
netflow.dns_srv_priority: type: integer
netflow.dns_srv_target: type: integer
netflow.dns_srv_weight: type: integer
netflow.dns_ttl: type: long
netflow.dns_txt_data: type: keyword
netflow.dot1q_customer_dei: type: boolean
netflow.dot1q_customer_destination_mac_address: type: keyword
netflow.dot1q_customer_priority: type: short
netflow.dot1q_customer_source_mac_address: type: keyword
netflow.dot1q_customer_vlan_id: type: integer
netflow.dot1q_dei: type: boolean
netflow.dot1q_priority: type: short
netflow.dot1q_service_instance_id: type: long
netflow.dot1q_service_instance_priority: type: short
netflow.dot1q_service_instance_tag: type: short
netflow.dot1q_vlan_id: type: integer
netflow.dropped_layer2_octet_delta_count: type: long
netflow.dropped_layer2_octet_total_count: type: long
netflow.dropped_octet_delta_count: type: long
netflow.dropped_octet_total_count: type: long
netflow.dropped_packet_delta_count: type: long
netflow.dropped_packet_total_count: type: long
netflow.dst_traffic_index: type: long
netflow.egress_broadcast_packet_total_count: type: long
netflow.egress_interface: type: long
netflow.egress_interface_type: type: long
netflow.egress_physical_interface: type: long
netflow.egress_unicast_packet_total_count: type: long
netflow.egress_vrfid: type: long
netflow.encrypted_technology: type: keyword
netflow.engine_id: type: short
netflow.engine_type: type: short
netflow.ethernet_header_length: type: short
netflow.ethernet_payload_length: type: integer
netflow.ethernet_total_length: type: integer
netflow.ethernet_type: type: integer
netflow.expired_fragment_count: type: long
netflow.export_interface: type: long
netflow.export_protocol_version: type: short
netflow.export_sctp_stream_id: type: integer
netflow.export_transport_protocol: type: short
netflow.exported_flow_record_total_count: type: long
netflow.exported_message_total_count: type: long
netflow.exported_octet_total_count: type: long
netflow.exporter_certificate: type: short
netflow.exporter_ipv4_address: type: ip
netflow.exporter_ipv6_address: type: ip
netflow.exporter_transport_port: type: integer
netflow.exporting_process_id: type: long
netflow.external_address_realm: type: short
netflow.firewall_event: type: short
netflow.first_eight_non_empty_packet_directions: type: short
netflow.first_non_empty_packet_size: type: integer
netflow.first_packet_banner: type: keyword
netflow.flags_and_sampler_id: type: long
netflow.flow_active_timeout: type: integer
netflow.flow_attributes: type: integer
netflow.flow_direction: type: short
netflow.flow_duration_microseconds: type: long
netflow.flow_duration_milliseconds: type: long
netflow.flow_end_delta_microseconds: type: long
netflow.flow_end_microseconds: type: date
netflow.flow_end_milliseconds: type: date
netflow.flow_end_nanoseconds: type: date
netflow.flow_end_reason: type: short
netflow.flow_end_seconds: type: date
netflow.flow_end_sys_up_time: type: long
netflow.flow_id: type: long
netflow.flow_idle_timeout: type: integer
netflow.flow_key_indicator: type: long
netflow.flow_label_ipv6: type: long
netflow.flow_sampling_time_interval: type: long
netflow.flow_sampling_time_spacing: type: long
netflow.flow_selected_flow_delta_count: type: long
netflow.flow_selected_octet_delta_count: type: long
netflow.flow_selected_packet_delta_count: type: long
netflow.flow_selector_algorithm: type: integer
netflow.flow_start_delta_microseconds: type: long
netflow.flow_start_microseconds: type: date
netflow.flow_start_milliseconds: type: date
netflow.flow_start_nanoseconds: type: date
netflow.flow_start_seconds: type: date
netflow.flow_start_sys_up_time: type: long
netflow.flow_table_flush_event_count: type: long
netflow.flow_table_peak_count: type: long
netflow.forwarding_status: type: short
netflow.fragment_flags: type: short
netflow.fragment_identification: type: long
netflow.fragment_offset: type: integer
netflow.fw_blackout_secs: type: long
netflow.fw_configured_value: type: long
netflow.fw_cts_src_sgt: type: long
netflow.fw_event_level: type: long
netflow.fw_event_level_id: type: long
netflow.fw_ext_event: type: integer
netflow.fw_ext_event_alt: type: long
netflow.fw_ext_event_desc: type: keyword
netflow.fw_half_open_count: type: long
netflow.fw_half_open_high: type: long
netflow.fw_half_open_rate: type: long
netflow.fw_max_sessions: type: long
netflow.fw_rule: type: keyword
netflow.fw_summary_pkt_count: type: long
netflow.fw_zone_pair_id: type: long
netflow.fw_zone_pair_name: type: long
netflow.global_address_mapping_high_threshold: type: long
netflow.gre_key: type: long
netflow.hash_digest_output: type: boolean
netflow.hash_flow_domain: type: integer
netflow.hash_initialiser_value: type: long
netflow.hash_ip_payload_offset: type: long
netflow.hash_ip_payload_size: type: long
netflow.hash_output_range_max: type: long
netflow.hash_output_range_min: type: long
netflow.hash_selected_range_max: type: long
netflow.hash_selected_range_min: type: long
netflow.http_content_type: type: keyword
netflow.http_message_version: type: keyword
netflow.http_reason_phrase: type: keyword
netflow.http_request_host: type: keyword
netflow.http_request_method: type: keyword
netflow.http_request_target: type: keyword
netflow.http_status_code: type: integer
netflow.http_user_agent: type: keyword
netflow.icmp_code_ipv4: type: short
netflow.icmp_code_ipv6: type: short
netflow.icmp_type_code_ipv4: type: integer
netflow.icmp_type_code_ipv6: type: integer
netflow.icmp_type_ipv4: type: short
netflow.icmp_type_ipv6: type: short
netflow.igmp_type: type: short
netflow.ignored_data_record_total_count: type: long
netflow.ignored_layer2_frame_total_count: type: long
netflow.ignored_layer2_octet_total_count: type: long
netflow.ignored_octet_total_count: type: long
netflow.ignored_packet_total_count: type: long
netflow.information_element_data_type: type: short
netflow.information_element_description: type: keyword
netflow.information_element_id: type: integer
netflow.information_element_index: type: integer
netflow.information_element_name: type: keyword
netflow.information_element_range_begin: type: long
netflow.information_element_range_end: type: long
netflow.information_element_semantics: type: short
netflow.information_element_units: type: integer
netflow.ingress_broadcast_packet_total_count: type: long
netflow.ingress_interface: type: long
netflow.ingress_interface_type: type: long
netflow.ingress_multicast_packet_total_count: type: long
netflow.ingress_physical_interface: type: long
netflow.ingress_unicast_packet_total_count: type: long
netflow.ingress_vrfid: type: long
netflow.initial_tcp_flags: type: short
netflow.initiator_octets: type: long
netflow.initiator_packets: type: long
netflow.interface_description: type: keyword
netflow.interface_name: type: keyword
netflow.intermediate_process_id: type: long
netflow.internal_address_realm: type: short
netflow.ip_class_of_service: type: short
netflow.ip_diff_serv_code_point: type: short
netflow.ip_header_length: type: short
netflow.ip_header_packet_section: type: short
netflow.ip_next_hop_ipv4_address: type: ip
netflow.ip_next_hop_ipv6_address: type: ip
netflow.ip_payload_length: type: long
netflow.ip_payload_packet_section: type: short
netflow.ip_precedence: type: short
netflow.ip_sec_spi: type: long
netflow.ip_total_length: type: long
netflow.ip_ttl: type: short
netflow.ip_version: type: short
netflow.ipv4_ihl: type: short
netflow.ipv4_options: type: long
netflow.ipv4_router_sc: type: ip
netflow.ipv6_extension_headers: type: long
netflow.is_multicast: type: short
netflow.ixia_browser_id: type: short
netflow.ixia_browser_name: type: keyword
netflow.ixia_device_id: type: short
netflow.ixia_device_name: type: keyword
netflow.ixia_dns_answer: type: keyword
netflow.ixia_dns_classes: type: keyword
netflow.ixia_dns_query: type: keyword
netflow.ixia_dns_record_txt: type: keyword
netflow.ixia_dst_as_name: type: keyword
netflow.ixia_dst_city_name: type: keyword
netflow.ixia_dst_country_code: type: keyword
netflow.ixia_dst_country_name: type: keyword
netflow.ixia_dst_latitude: type: float
netflow.ixia_dst_longitude: type: float
netflow.ixia_dst_region_code: type: keyword
netflow.ixia_dst_region_node: type: keyword
netflow.ixia_encrypt_cipher: type: keyword
netflow.ixia_encrypt_key_length: type: integer
netflow.ixia_encrypt_type: type: keyword
netflow.ixia_http_host_name: type: keyword
netflow.ixia_http_uri: type: keyword
netflow.ixia_http_user_agent: type: keyword
netflow.ixia_imsi_subscriber: type: keyword
netflow.ixia_l7_app_id: type: long
netflow.ixia_l7_app_name: type: keyword
netflow.ixia_latency: type: long
netflow.ixia_rev_octet_delta_count: type: long
netflow.ixia_rev_packet_delta_count: type: long
netflow.ixia_src_as_name: type: keyword
netflow.ixia_src_city_name: type: keyword
netflow.ixia_src_country_code: type: keyword
netflow.ixia_src_country_name: type: keyword
netflow.ixia_src_latitude: type: float
netflow.ixia_src_longitude: type: float
netflow.ixia_src_region_code: type: keyword
netflow.ixia_src_region_name: type: keyword
netflow.ixia_threat_ipv4: type: ip
netflow.ixia_threat_ipv6: type: ip
netflow.ixia_threat_type: type: keyword
netflow.large_packet_count: type: long
netflow.layer2_frame_delta_count: type: long
netflow.layer2_frame_total_count: type: long
netflow.layer2_octet_delta_count: type: long
netflow.layer2_octet_delta_sum_of_squares: type: long
netflow.layer2_octet_total_count: type: long
netflow.layer2_octet_total_sum_of_squares: type: long
netflow.layer2_segment_id: type: long
netflow.layer2packet_section_data: type: short
netflow.layer2packet_section_offset: type: integer
netflow.layer2packet_section_size: type: integer
netflow.line_card_id: type: long
netflow.log_op: type: short
netflow.lower_ci_limit: type: double
netflow.mark: type: long
netflow.max_bib_entries: type: long
netflow.max_entries_per_user: type: long
netflow.max_export_seconds: type: date
netflow.max_flow_end_microseconds: type: date
netflow.max_flow_end_milliseconds: type: date
netflow.max_flow_end_nanoseconds: type: date
netflow.max_flow_end_seconds: type: date
netflow.max_fragments_pending_reassembly: type: long
netflow.max_packet_size: type: integer
netflow.max_session_entries: type: long
netflow.max_subscribers: type: long
netflow.maximum_ip_total_length: type: long
netflow.maximum_layer2_total_length: type: long
netflow.maximum_ttl: type: short
netflow.mean_flow_rate: type: long
netflow.mean_packet_rate: type: long
netflow.message_md5_checksum: type: short
netflow.message_scope: type: short
netflow.metering_process_id: type: long
netflow.metro_evc_id: type: keyword
netflow.metro_evc_type: type: short
netflow.mib_capture_time_semantics: type: short
netflow.mib_context_engine_id: type: short
netflow.mib_context_name: type: keyword
netflow.mib_index_indicator: type: long
netflow.mib_module_name: type: keyword
netflow.mib_object_description: type: keyword
netflow.mib_object_identifier: type: short
netflow.mib_object_name: type: keyword
netflow.mib_object_syntax: type: keyword
netflow.mib_object_value_bits: type: short
netflow.mib_object_value_counter: type: long
netflow.mib_object_value_gauge: type: long
netflow.mib_object_value_integer: type: integer
netflow.mib_object_value_ip_address: type: ip
netflow.mib_object_value_octet_string: type: short
netflow.mib_object_value_oid: type: short
netflow.mib_object_value_time_ticks: type: long
netflow.mib_object_value_unsigned: type: long
netflow.mib_sub_identifier: type: long
netflow.min_export_seconds: type: date
netflow.min_flow_start_microseconds: type: date
netflow.min_flow_start_milliseconds: type: date
netflow.min_flow_start_nanoseconds: type: date
netflow.min_flow_start_seconds: type: date
netflow.minimum_ip_total_length: type: long
netflow.minimum_layer2_total_length: type: long
netflow.minimum_ttl: type: short
netflow.mobile_imsi: type: keyword
netflow.mobile_msisdn: type: keyword
netflow.monitoring_interval_end_milli_seconds: type: date
netflow.monitoring_interval_start_milli_seconds: type: date
netflow.mpls_label_stack_depth: type: long
netflow.mpls_label_stack_length: type: long
netflow.mpls_label_stack_section: type: short
netflow.mpls_label_stack_section10: type: short
netflow.mpls_label_stack_section2: type: short
netflow.mpls_label_stack_section3: type: short
netflow.mpls_label_stack_section4: type: short
netflow.mpls_label_stack_section5: type: short
netflow.mpls_label_stack_section6: type: short
netflow.mpls_label_stack_section7: type: short
netflow.mpls_label_stack_section8: type: short
netflow.mpls_label_stack_section9: type: short
netflow.mpls_payload_length: type: long
netflow.mpls_payload_packet_section: type: short
netflow.mpls_top_label_exp: type: short
netflow.mpls_top_label_ipv4_address: type: ip
netflow.mpls_top_label_ipv6_address: type: ip
netflow.mpls_top_label_prefix_length: type: short
netflow.mpls_top_label_stack_section: type: short
netflow.mpls_top_label_ttl: type: short
netflow.mpls_top_label_type: type: short
netflow.mpls_vpn_route_distinguisher: type: short
netflow.mptcp_address_id: type: short
netflow.mptcp_flags: type: short
netflow.mptcp_initial_data_sequence_number: type: long
netflow.mptcp_maximum_segment_size: type: integer
netflow.mptcp_receiver_token: type: long
netflow.multicast_replication_factor: type: long
netflow.nat_event: type: short
netflow.nat_inside_svcid: type: integer
netflow.nat_instance_id: type: long
netflow.nat_originating_address_realm: type: short
netflow.nat_outside_svcid: type: integer
netflow.nat_pool_id: type: long
netflow.nat_pool_name: type: keyword
netflow.nat_quota_exceeded_event: type: long
netflow.nat_sub_string: type: keyword
netflow.nat_threshold_event: type: long
netflow.nat_type: type: short
netflow.netscale_ica_client_version: type: keyword
netflow.netscaler_aaa_username: type: keyword
netflow.netscaler_app_name: type: keyword
netflow.netscaler_app_name_app_id: type: long
netflow.netscaler_app_name_incarnation_number: type: long
netflow.netscaler_app_template_name: type: keyword
netflow.netscaler_app_unit_name_app_id: type: long
netflow.netscaler_application_startup_duration: type: long
netflow.netscaler_application_startup_time: type: long
netflow.netscaler_cache_redir_client_connection_core_id: type: long
netflow.netscaler_cache_redir_client_connection_transaction_id: type: long
netflow.netscaler_client_rtt: type: long
netflow.netscaler_connection_chain_hop_count: type: long
netflow.netscaler_connection_chain_id: type: short
netflow.netscaler_connection_id: type: long
netflow.netscaler_current_license_consumed: type: long
netflow.netscaler_db_clt_host_name: type: keyword
netflow.netscaler_db_database_name: type: keyword
netflow.netscaler_db_login_flags: type: long
netflow.netscaler_db_protocol_name: type: short
netflow.netscaler_db_req_string: type: keyword
netflow.netscaler_db_req_type: type: short
netflow.netscaler_db_resp_length: type: long
netflow.netscaler_db_resp_status: type: long
netflow.netscaler_db_resp_status_string: type: keyword
netflow.netscaler_db_user_name: type: keyword
netflow.netscaler_flow_flags: type: long
netflow.netscaler_http_client_interaction_end_time: type: keyword
netflow.netscaler_http_client_interaction_start_time: type: keyword
netflow.netscaler_http_client_render_end_time: type: keyword
netflow.netscaler_http_client_render_start_time: type: keyword
netflow.netscaler_http_content_type: type: keyword
netflow.netscaler_http_domain_name: type: keyword
netflow.netscaler_http_req_authorization: type: keyword
netflow.netscaler_http_req_cookie: type: keyword
netflow.netscaler_http_req_forw_fb: type: long
netflow.netscaler_http_req_forw_lb: type: long
netflow.netscaler_http_req_host: type: keyword
netflow.netscaler_http_req_method: type: keyword
netflow.netscaler_http_req_rcv_fb: type: long
netflow.netscaler_http_req_rcv_lb: type: long
netflow.netscaler_http_req_referer: type: keyword
netflow.netscaler_http_req_url: type: keyword
netflow.netscaler_http_req_user_agent: type: keyword
netflow.netscaler_http_req_via: type: keyword
netflow.netscaler_http_req_xforwarded_for: type: keyword
netflow.netscaler_http_res_forw_fb: type: long
netflow.netscaler_http_res_forw_lb: type: long
netflow.netscaler_http_res_location: type: keyword
netflow.netscaler_http_res_rcv_fb: type: long
netflow.netscaler_http_res_rcv_lb: type: long
netflow.netscaler_http_res_set_cookie: type: keyword
netflow.netscaler_http_res_set_cookie2: type: keyword
netflow.netscaler_http_rsp_len: type: long
netflow.netscaler_http_rsp_status: type: integer
netflow.netscaler_ica_app_module_path: type: keyword
netflow.netscaler_ica_app_process_id: type: long
netflow.netscaler_ica_application_name: type: keyword
netflow.netscaler_ica_application_termination_time: type: long
netflow.netscaler_ica_application_termination_type: type: integer
netflow.netscaler_ica_channel_id1: type: long
netflow.netscaler_ica_channel_id1_bytes: type: long
netflow.netscaler_ica_channel_id2: type: long
netflow.netscaler_ica_channel_id2_bytes: type: long
netflow.netscaler_ica_channel_id3: type: long
netflow.netscaler_ica_channel_id3_bytes: type: long
netflow.netscaler_ica_channel_id4: type: long
netflow.netscaler_ica_channel_id4_bytes: type: long
netflow.netscaler_ica_channel_id5: type: long
netflow.netscaler_ica_channel_id5_bytes: type: long
netflow.netscaler_ica_client_host_name: type: keyword
netflow.netscaler_ica_client_ip: type: ip
netflow.netscaler_ica_client_launcher: type: integer
netflow.netscaler_ica_client_side_rto_count: type: integer
netflow.netscaler_ica_client_side_window_size: type: integer
netflow.netscaler_ica_client_type: type: integer
netflow.netscaler_ica_clientside_delay: type: long
netflow.netscaler_ica_clientside_jitter: type: long
netflow.netscaler_ica_clientside_packets_retransmit: type: integer
netflow.netscaler_ica_clientside_rtt: type: long
netflow.netscaler_ica_clientside_rx_bytes: type: long
netflow.netscaler_ica_clientside_srtt: type: long
netflow.netscaler_ica_clientside_tx_bytes: type: long
netflow.netscaler_ica_connection_priority: type: integer
netflow.netscaler_ica_device_serial_no: type: long
netflow.netscaler_ica_domain_name: type: keyword
netflow.netscaler_ica_flags: type: long
netflow.netscaler_ica_host_delay: type: long
netflow.netscaler_ica_l7_client_latency: type: long
netflow.netscaler_ica_l7_server_latency: type: long
netflow.netscaler_ica_launch_mechanism: type: integer
netflow.netscaler_ica_network_update_end_time: type: long
netflow.netscaler_ica_network_update_start_time: type: long
netflow.netscaler_ica_rtt: type: long
netflow.netscaler_ica_server_name: type: keyword
netflow.netscaler_ica_server_side_rto_count: type: integer
netflow.netscaler_ica_server_side_window_size: type: integer
netflow.netscaler_ica_serverside_delay: type: long
netflow.netscaler_ica_serverside_jitter: type: long
netflow.netscaler_ica_serverside_packets_retransmit: type: integer
netflow.netscaler_ica_serverside_rtt: type: long
netflow.netscaler_ica_serverside_srtt: type: long
netflow.netscaler_ica_session_end_time: type: long
netflow.netscaler_ica_session_guid: type: short
netflow.netscaler_ica_session_reconnects: type: short
netflow.netscaler_ica_session_setup_time: type: long
netflow.netscaler_ica_session_update_begin_sec: type: long
netflow.netscaler_ica_session_update_end_sec: type: long
netflow.netscaler_ica_username: type: keyword
netflow.netscaler_license_type: type: short
netflow.netscaler_main_page_core_id: type: long
netflow.netscaler_main_page_id: type: long
netflow.netscaler_max_license_count: type: long
netflow.netscaler_msi_client_cookie: type: short
netflow.netscaler_round_trip_time: type: long
netflow.netscaler_server_ttfb: type: long
netflow.netscaler_server_ttlb: type: long
netflow.netscaler_syslog_message: type: keyword
netflow.netscaler_syslog_priority: type: short
netflow.netscaler_syslog_timestamp: type: long
netflow.netscaler_transaction_id: type: long
netflow.netscaler_unknown270: type: long
netflow.netscaler_unknown271: type: long
netflow.netscaler_unknown272: type: long
netflow.netscaler_unknown273: type: long
netflow.netscaler_unknown274: type: long
netflow.netscaler_unknown275: type: long
netflow.netscaler_unknown276: type: long
netflow.netscaler_unknown277: type: long
netflow.netscaler_unknown278: type: long
netflow.netscaler_unknown279: type: long
netflow.netscaler_unknown280: type: long
netflow.netscaler_unknown281: type: long
netflow.netscaler_unknown282: type: long
netflow.netscaler_unknown283: type: long
netflow.netscaler_unknown284: type: long
netflow.netscaler_unknown285: type: long
netflow.netscaler_unknown286: type: long
netflow.netscaler_unknown287: type: long
netflow.netscaler_unknown288: type: long
netflow.netscaler_unknown289: type: long
netflow.netscaler_unknown290: type: long
netflow.netscaler_unknown291: type: long
netflow.netscaler_unknown292: type: long
netflow.netscaler_unknown293: type: long
netflow.netscaler_unknown294: type: long
netflow.netscaler_unknown295: type: long
netflow.netscaler_unknown296: type: long
netflow.netscaler_unknown297: type: long
netflow.netscaler_unknown298: type: long
netflow.netscaler_unknown299: type: long
netflow.netscaler_unknown300: type: long
netflow.netscaler_unknown301: type: long
netflow.netscaler_unknown302: type: long
netflow.netscaler_unknown303: type: long
netflow.netscaler_unknown304: type: long
netflow.netscaler_unknown305: type: long
netflow.netscaler_unknown306: type: long
netflow.netscaler_unknown307: type: long
netflow.netscaler_unknown308: type: long
netflow.netscaler_unknown309: type: long
netflow.netscaler_unknown310: type: long
netflow.netscaler_unknown311: type: long
netflow.netscaler_unknown312: type: long
netflow.netscaler_unknown313: type: long
netflow.netscaler_unknown314: type: long
netflow.netscaler_unknown315: type: long
netflow.netscaler_unknown316: type: keyword
netflow.netscaler_unknown317: type: long
netflow.netscaler_unknown318: type: long
netflow.netscaler_unknown319: type: keyword
netflow.netscaler_unknown320: type: integer
netflow.netscaler_unknown321: type: long
netflow.netscaler_unknown322: type: long
netflow.netscaler_unknown323: type: integer
netflow.netscaler_unknown324: type: integer
netflow.netscaler_unknown325: type: integer
netflow.netscaler_unknown326: type: integer
netflow.netscaler_unknown327: type: long
netflow.netscaler_unknown328: type: integer
netflow.netscaler_unknown329: type: integer
netflow.netscaler_unknown330: type: integer
netflow.netscaler_unknown331: type: integer
netflow.netscaler_unknown332: type: long
netflow.netscaler_unknown333: type: keyword
netflow.netscaler_unknown334: type: keyword
netflow.netscaler_unknown335: type: long
netflow.netscaler_unknown336: type: long
netflow.netscaler_unknown337: type: long
netflow.netscaler_unknown338: type: long
netflow.netscaler_unknown339: type: long
netflow.netscaler_unknown340: type: long
netflow.netscaler_unknown341: type: long
netflow.netscaler_unknown342: type: long
netflow.netscaler_unknown343: type: long
netflow.netscaler_unknown344: type: long
netflow.netscaler_unknown345: type: long
netflow.netscaler_unknown346: type: long
netflow.netscaler_unknown347: type: long
netflow.netscaler_unknown348: type: integer
netflow.netscaler_unknown349: type: keyword
netflow.netscaler_unknown350: type: keyword
netflow.netscaler_unknown351: type: keyword
netflow.netscaler_unknown352: type: integer
netflow.netscaler_unknown353: type: long
netflow.netscaler_unknown354: type: long
netflow.netscaler_unknown355: type: long
netflow.netscaler_unknown356: type: long
netflow.netscaler_unknown357: type: long
netflow.netscaler_unknown363: type: short
netflow.netscaler_unknown383: type: short
netflow.netscaler_unknown391: type: long
netflow.netscaler_unknown398: type: long
netflow.netscaler_unknown404: type: long
netflow.netscaler_unknown405: type: long
netflow.netscaler_unknown427: type: long
netflow.netscaler_unknown429: type: short
netflow.netscaler_unknown432: type: short
netflow.netscaler_unknown433: type: short
netflow.netscaler_unknown453: type: long
netflow.netscaler_unknown465: type: long
netflow.new_connection_delta_count: type: long
netflow.next_header_ipv6: type: short
netflow.non_empty_packet_count: type: long
netflow.not_sent_flow_total_count: type: long
netflow.not_sent_layer2_octet_total_count: type: long
netflow.not_sent_octet_total_count: type: long
netflow.not_sent_packet_total_count: type: long
netflow.observation_domain_id: type: long
netflow.observation_domain_name: type: keyword
netflow.observation_point_id: type: long
netflow.observation_point_type: type: short
netflow.observation_time_microseconds: type: date
netflow.observation_time_milliseconds: type: date
netflow.observation_time_nanoseconds: type: date
netflow.observation_time_seconds: type: date
netflow.observed_flow_total_count: type: long
netflow.octet_delta_count: type: long
netflow.octet_delta_sum_of_squares: type: long
netflow.octet_total_count: type: long
netflow.octet_total_sum_of_squares: type: long
netflow.opaque_octets: type: short
netflow.original_exporter_ipv4_address: type: ip
netflow.original_exporter_ipv6_address: type: ip
netflow.original_flows_completed: type: long
netflow.original_flows_initiated: type: long
netflow.original_flows_present: type: long
netflow.original_observation_domain_id: type: long
netflow.os_finger_print: type: keyword
netflow.os_name: type: keyword
netflow.os_version: type: keyword
netflow.p2p_technology: type: keyword
netflow.packet_delta_count: type: long
netflow.packet_total_count: type: long
netflow.padding_octets: type: short
netflow.payload: type: keyword
netflow.payload_entropy: type: short
netflow.payload_length_ipv6: type: integer
netflow.policy_qos_classification_hierarchy: type: long
netflow.policy_qos_queue_index: type: long
netflow.policy_qos_queuedrops: type: long
netflow.policy_qos_queueindex: type: long
netflow.port_id: type: long
netflow.port_range_end: type: integer
netflow.port_range_num_ports: type: integer
netflow.port_range_start: type: integer
netflow.port_range_step_size: type: integer
netflow.post_destination_mac_address: type: keyword
netflow.post_dot1q_customer_vlan_id: type: integer
netflow.post_dot1q_vlan_id: type: integer
netflow.post_ip_class_of_service: type: short
netflow.post_ip_diff_serv_code_point: type: short
netflow.post_ip_precedence: type: short
netflow.post_layer2_octet_delta_count: type: long
netflow.post_layer2_octet_total_count: type: long
netflow.post_mcast_layer2_octet_delta_count: type: long
netflow.post_mcast_layer2_octet_total_count: type: long
netflow.post_mcast_octet_delta_count: type: long
netflow.post_mcast_octet_total_count: type: long
netflow.post_mcast_packet_delta_count: type: long
netflow.post_mcast_packet_total_count: type: long
netflow.post_mpls_top_label_exp: type: short
netflow.post_napt_destination_transport_port: type: integer
netflow.post_napt_source_transport_port: type: integer
netflow.post_nat_destination_ipv4_address: type: ip
netflow.post_nat_destination_ipv6_address: type: ip
netflow.post_nat_source_ipv4_address: type: ip
netflow.post_nat_source_ipv6_address: type: ip
netflow.post_octet_delta_count: type: long
netflow.post_octet_total_count: type: long
netflow.post_packet_delta_count: type: long
netflow.post_packet_total_count: type: long
netflow.post_source_mac_address: type: keyword
netflow.post_vlan_id: type: integer
netflow.private_enterprise_number: type: long
netflow.procera_apn: type: keyword
netflow.procera_base_service: type: keyword
netflow.procera_content_categories: type: keyword
netflow.procera_device_id: type: long
netflow.procera_external_rtt: type: integer
netflow.procera_flow_behavior: type: keyword
netflow.procera_ggsn: type: keyword
netflow.procera_http_content_type: type: keyword
netflow.procera_http_file_length: type: long
netflow.procera_http_language: type: keyword
netflow.procera_http_location: type: keyword
netflow.procera_http_referer: type: keyword
netflow.procera_http_request_method: type: keyword
netflow.procera_http_request_version: type: keyword
netflow.procera_http_response_status: type: integer
netflow.procera_http_url: type: keyword
netflow.procera_http_user_agent: type: keyword
netflow.procera_imsi: type: long
netflow.procera_incoming_octets: type: long
netflow.procera_incoming_packets: type: long
netflow.procera_incoming_shaping_drops: type: long
netflow.procera_incoming_shaping_latency: type: integer
netflow.procera_internal_rtt: type: integer
netflow.procera_local_ipv4_host: type: ip
netflow.procera_local_ipv6_host: type: ip
netflow.procera_msisdn: type: long
netflow.procera_outgoing_octets: type: long
netflow.procera_outgoing_packets: type: long
netflow.procera_outgoing_shaping_drops: type: long
netflow.procera_outgoing_shaping_latency: type: integer
netflow.procera_property: type: keyword
netflow.procera_qoe_incoming_external: type: float
netflow.procera_qoe_incoming_internal: type: float
netflow.procera_qoe_outgoing_external: type: float
netflow.procera_qoe_outgoing_internal: type: float
netflow.procera_rat: type: keyword
netflow.procera_remote_ipv4_host: type: ip
netflow.procera_remote_ipv6_host: type: ip
netflow.procera_rnc: type: integer
netflow.procera_server_hostname: type: keyword
netflow.procera_service: type: keyword
netflow.procera_sgsn: type: keyword
netflow.procera_subscriber_identifier: type: keyword
netflow.procera_template_name: type: keyword
netflow.procera_user_location_information: type: keyword
netflow.protocol_identifier: type: short
netflow.pseudo_wire_control_word: type: long
netflow.pseudo_wire_destination_ipv4_address: type: ip
netflow.pseudo_wire_id: type: long
netflow.pseudo_wire_type: type: integer
netflow.reason: type: long
netflow.reason_text: type: keyword
netflow.relative_error: type: double
netflow.responder_octets: type: long
netflow.responder_packets: type: long
netflow.reverse_absolute_error: type: double
netflow.reverse_anonymization_flags: type: integer
netflow.reverse_anonymization_technique: type: integer
netflow.reverse_application_category_name: type: keyword
netflow.reverse_application_description: type: keyword
netflow.reverse_application_group_name: type: keyword
netflow.reverse_application_id: type: keyword
netflow.reverse_application_name: type: keyword
netflow.reverse_application_sub_category_name: type: keyword
netflow.reverse_average_interarrival_time: type: long
netflow.reverse_bgp_destination_as_number: type: long
netflow.reverse_bgp_next_adjacent_as_number: type: long
netflow.reverse_bgp_next_hop_ipv4_address: type: ip
netflow.reverse_bgp_next_hop_ipv6_address: type: ip
netflow.reverse_bgp_prev_adjacent_as_number: type: long
netflow.reverse_bgp_source_as_number: type: long
netflow.reverse_bgp_validity_state: type: short
netflow.reverse_class_id: type: short
netflow.reverse_class_name: type: keyword
netflow.reverse_classification_engine_id: type: short
netflow.reverse_collection_time_milliseconds: type: long
netflow.reverse_collector_certificate: type: keyword
netflow.reverse_confidence_level: type: double
netflow.reverse_connection_sum_duration_seconds: type: long
netflow.reverse_connection_transaction_id: type: long
netflow.reverse_data_byte_count: type: long
netflow.reverse_data_link_frame_section: type: keyword
netflow.reverse_data_link_frame_size: type: integer
netflow.reverse_data_link_frame_type: type: integer
netflow.reverse_data_records_reliability: type: short
netflow.reverse_delta_flow_count: type: long
netflow.reverse_destination_ipv4_address: type: ip
netflow.reverse_destination_ipv4_prefix: type: ip
netflow.reverse_destination_ipv4_prefix_length: type: short
netflow.reverse_destination_ipv6_address: type: ip
netflow.reverse_destination_ipv6_prefix: type: ip
netflow.reverse_destination_ipv6_prefix_length: type: short
netflow.reverse_destination_mac_address: type: keyword
netflow.reverse_destination_transport_port: type: integer
netflow.reverse_digest_hash_value: type: long
netflow.reverse_distinct_count_of_destination_ip_address: type: long
netflow.reverse_distinct_count_of_destination_ipv4_address: type: long
netflow.reverse_distinct_count_of_destination_ipv6_address: type: long
netflow.reverse_distinct_count_of_source_ip_address: type: long
netflow.reverse_distinct_count_of_source_ipv4_address: type: long
netflow.reverse_distinct_count_of_source_ipv6_address: type: long
netflow.reverse_dot1q_customer_dei: type: short
netflow.reverse_dot1q_customer_destination_mac_address: type: keyword
netflow.reverse_dot1q_customer_priority: type: short
netflow.reverse_dot1q_customer_source_mac_address: type: keyword
netflow.reverse_dot1q_customer_vlan_id: type: integer
netflow.reverse_dot1q_dei: type: short
netflow.reverse_dot1q_priority: type: short
netflow.reverse_dot1q_service_instance_id: type: long
netflow.reverse_dot1q_service_instance_priority: type: short
netflow.reverse_dot1q_service_instance_tag: type: keyword
netflow.reverse_dot1q_vlan_id: type: integer
netflow.reverse_dropped_layer2_octet_delta_count: type: long
netflow.reverse_dropped_layer2_octet_total_count: type: long
netflow.reverse_dropped_octet_delta_count: type: long
netflow.reverse_dropped_octet_total_count: type: long
netflow.reverse_dropped_packet_delta_count: type: long
netflow.reverse_dropped_packet_total_count: type: long
netflow.reverse_dst_traffic_index: type: long
netflow.reverse_egress_broadcast_packet_total_count: type: long
netflow.reverse_egress_interface: type: long
netflow.reverse_egress_interface_type: type: long
netflow.reverse_egress_physical_interface: type: long
netflow.reverse_egress_unicast_packet_total_count: type: long
netflow.reverse_egress_vrfid: type: long
netflow.reverse_encrypted_technology: type: keyword
netflow.reverse_engine_id: type: short
netflow.reverse_engine_type: type: short
netflow.reverse_ethernet_header_length: type: short
netflow.reverse_ethernet_payload_length: type: integer
netflow.reverse_ethernet_total_length: type: integer
netflow.reverse_ethernet_type: type: integer
netflow.reverse_export_sctp_stream_id: type: integer
netflow.reverse_exporter_certificate: type: keyword
netflow.reverse_exporting_process_id: type: long
netflow.reverse_firewall_event: type: short
netflow.reverse_first_non_empty_packet_size: type: integer
netflow.reverse_first_packet_banner: type: keyword
netflow.reverse_flags_and_sampler_id: type: long
netflow.reverse_flow_active_timeout: type: integer
netflow.reverse_flow_attributes: type: integer
netflow.reverse_flow_delta_milliseconds: type: long
netflow.reverse_flow_direction: type: short
netflow.reverse_flow_duration_microseconds: type: long
netflow.reverse_flow_duration_milliseconds: type: long
netflow.reverse_flow_end_delta_microseconds: type: long
netflow.reverse_flow_end_microseconds: type: long
netflow.reverse_flow_end_milliseconds: type: long
netflow.reverse_flow_end_nanoseconds: type: long
netflow.reverse_flow_end_reason: type: short
netflow.reverse_flow_end_seconds: type: long
netflow.reverse_flow_end_sys_up_time: type: long
netflow.reverse_flow_idle_timeout: type: integer
netflow.reverse_flow_label_ipv6: type: long
netflow.reverse_flow_sampling_time_interval: type: long
netflow.reverse_flow_sampling_time_spacing: type: long
netflow.reverse_flow_selected_flow_delta_count: type: long
netflow.reverse_flow_selected_octet_delta_count: type: long
netflow.reverse_flow_selected_packet_delta_count: type: long
netflow.reverse_flow_selector_algorithm: type: integer
netflow.reverse_flow_start_delta_microseconds: type: long
netflow.reverse_flow_start_microseconds: type: long
netflow.reverse_flow_start_milliseconds: type: long
netflow.reverse_flow_start_nanoseconds: type: long
netflow.reverse_flow_start_seconds: type: long
netflow.reverse_flow_start_sys_up_time: type: long
netflow.reverse_forwarding_status: type: long
netflow.reverse_fragment_flags: type: short
netflow.reverse_fragment_identification: type: long
netflow.reverse_fragment_offset: type: integer
netflow.reverse_gre_key: type: long
netflow.reverse_hash_digest_output: type: short
netflow.reverse_hash_flow_domain: type: integer
netflow.reverse_hash_initialiser_value: type: long
netflow.reverse_hash_ip_payload_offset: type: long
netflow.reverse_hash_ip_payload_size: type: long
netflow.reverse_hash_output_range_max: type: long
netflow.reverse_hash_output_range_min: type: long
netflow.reverse_hash_selected_range_max: type: long
netflow.reverse_hash_selected_range_min: type: long
netflow.reverse_icmp_code_ipv4: type: short
netflow.reverse_icmp_code_ipv6: type: short
netflow.reverse_icmp_type_code_ipv4: type: integer
netflow.reverse_icmp_type_code_ipv6: type: integer
netflow.reverse_icmp_type_ipv4: type: short
netflow.reverse_icmp_type_ipv6: type: short
netflow.reverse_igmp_type: type: short
netflow.reverse_ignored_data_record_total_count: type: long
netflow.reverse_ignored_layer2_frame_total_count: type: long
netflow.reverse_ignored_layer2_octet_total_count: type: long
netflow.reverse_information_element_data_type: type: short
netflow.reverse_information_element_description: type: keyword
netflow.reverse_information_element_id: type: integer
netflow.reverse_information_element_index: type: integer
netflow.reverse_information_element_name: type: keyword
netflow.reverse_information_element_range_begin: type: long
netflow.reverse_information_element_range_end: type: long
netflow.reverse_information_element_semantics: type: short
netflow.reverse_information_element_units: type: integer
netflow.reverse_ingress_broadcast_packet_total_count: type: long
netflow.reverse_ingress_interface: type: long
netflow.reverse_ingress_interface_type: type: long
netflow.reverse_ingress_multicast_packet_total_count: type: long
netflow.reverse_ingress_physical_interface: type: long
netflow.reverse_ingress_unicast_packet_total_count: type: long
netflow.reverse_ingress_vrfid: type: long
netflow.reverse_initial_tcp_flags: type: short
netflow.reverse_initiator_octets: type: long
netflow.reverse_initiator_packets: type: long
netflow.reverse_interface_description: type: keyword
netflow.reverse_interface_name: type: keyword
netflow.reverse_intermediate_process_id: type: long
netflow.reverse_ip_class_of_service: type: short
netflow.reverse_ip_diff_serv_code_point: type: short
netflow.reverse_ip_header_length: type: short
netflow.reverse_ip_header_packet_section: type: keyword
netflow.reverse_ip_next_hop_ipv4_address: type: ip
netflow.reverse_ip_next_hop_ipv6_address: type: ip
netflow.reverse_ip_payload_length: type: long
netflow.reverse_ip_payload_packet_section: type: keyword
netflow.reverse_ip_precedence: type: short
netflow.reverse_ip_sec_spi: type: long
netflow.reverse_ip_total_length: type: long
netflow.reverse_ip_ttl: type: short
netflow.reverse_ip_version: type: short
netflow.reverse_ipv4_ihl: type: short
netflow.reverse_ipv4_options: type: long
netflow.reverse_ipv4_router_sc: type: ip
netflow.reverse_ipv6_extension_headers: type: long
netflow.reverse_is_multicast: type: short
netflow.reverse_large_packet_count: type: long
netflow.reverse_layer2_frame_delta_count: type: long
netflow.reverse_layer2_frame_total_count: type: long
netflow.reverse_layer2_octet_delta_count: type: long
netflow.reverse_layer2_octet_delta_sum_of_squares: type: long
netflow.reverse_layer2_octet_total_count: type: long
netflow.reverse_layer2_octet_total_sum_of_squares: type: long
netflow.reverse_layer2_segment_id: type: long
netflow.reverse_layer2packet_section_data: type: keyword
netflow.reverse_layer2packet_section_offset: type: integer
netflow.reverse_layer2packet_section_size: type: integer
netflow.reverse_line_card_id: type: long
netflow.reverse_lower_ci_limit: type: double
netflow.reverse_max_export_seconds: type: long
netflow.reverse_max_flow_end_microseconds: type: long
netflow.reverse_max_flow_end_milliseconds: type: long
netflow.reverse_max_flow_end_nanoseconds: type: long
netflow.reverse_max_flow_end_seconds: type: long
netflow.reverse_max_packet_size: type: integer
netflow.reverse_maximum_ip_total_length: type: long
netflow.reverse_maximum_layer2_total_length: type: long
netflow.reverse_maximum_ttl: type: short
netflow.reverse_message_md5_checksum: type: keyword
netflow.reverse_message_scope: type: short
netflow.reverse_metering_process_id: type: long
netflow.reverse_metro_evc_id: type: keyword
netflow.reverse_metro_evc_type: type: short
netflow.reverse_min_export_seconds: type: long
netflow.reverse_min_flow_start_microseconds: type: long
netflow.reverse_min_flow_start_milliseconds: type: long
netflow.reverse_min_flow_start_nanoseconds: type: long
netflow.reverse_min_flow_start_seconds: type: long
netflow.reverse_minimum_ip_total_length: type: long
netflow.reverse_minimum_layer2_total_length: type: long
netflow.reverse_minimum_ttl: type: short
netflow.reverse_monitoring_interval_end_milli_seconds: type: long
netflow.reverse_monitoring_interval_start_milli_seconds: type: long
netflow.reverse_mpls_label_stack_depth: type: long
netflow.reverse_mpls_label_stack_length: type: long
netflow.reverse_mpls_label_stack_section: type: keyword
netflow.reverse_mpls_label_stack_section10: type: keyword
netflow.reverse_mpls_label_stack_section2: type: keyword
netflow.reverse_mpls_label_stack_section3: type: keyword
netflow.reverse_mpls_label_stack_section4: type: keyword
netflow.reverse_mpls_label_stack_section5: type: keyword
netflow.reverse_mpls_label_stack_section6: type: keyword
netflow.reverse_mpls_label_stack_section7: type: keyword
netflow.reverse_mpls_label_stack_section8: type: keyword
netflow.reverse_mpls_label_stack_section9: type: keyword
netflow.reverse_mpls_payload_length: type: long
netflow.reverse_mpls_payload_packet_section: type: keyword
netflow.reverse_mpls_top_label_exp: type: short
netflow.reverse_mpls_top_label_ipv4_address: type: ip
netflow.reverse_mpls_top_label_ipv6_address: type: ip
netflow.reverse_mpls_top_label_prefix_length: type: short
netflow.reverse_mpls_top_label_stack_section: type: keyword
netflow.reverse_mpls_top_label_ttl: type: short
netflow.reverse_mpls_top_label_type: type: short
netflow.reverse_mpls_vpn_route_distinguisher: type: keyword
netflow.reverse_multicast_replication_factor: type: long
netflow.reverse_nat_event: type: short
netflow.reverse_nat_originating_address_realm: type: short
netflow.reverse_nat_pool_id: type: long
netflow.reverse_nat_pool_name: type: keyword
netflow.reverse_nat_type: type: short
netflow.reverse_new_connection_delta_count: type: long
netflow.reverse_next_header_ipv6: type: short
netflow.reverse_non_empty_packet_count: type: long
netflow.reverse_not_sent_layer2_octet_total_count: type: long
netflow.reverse_observation_domain_name: type: keyword
netflow.reverse_observation_point_id: type: long
netflow.reverse_observation_point_type: type: short
netflow.reverse_observation_time_microseconds: type: long
netflow.reverse_observation_time_milliseconds: type: long
netflow.reverse_observation_time_nanoseconds: type: long
netflow.reverse_observation_time_seconds: type: long
netflow.reverse_octet_delta_count: type: long
netflow.reverse_octet_delta_sum_of_squares: type: long
netflow.reverse_octet_total_count: type: long
netflow.reverse_octet_total_sum_of_squares: type: long
netflow.reverse_opaque_octets: type: keyword
netflow.reverse_original_exporter_ipv4_address: type: ip
netflow.reverse_original_exporter_ipv6_address: type: ip
netflow.reverse_original_flows_completed: type: long
netflow.reverse_original_flows_initiated: type: long
netflow.reverse_original_flows_present: type: long
netflow.reverse_original_observation_domain_id: type: long
netflow.reverse_os_finger_print: type: keyword
netflow.reverse_os_name: type: keyword
netflow.reverse_os_version: type: keyword
netflow.reverse_p2p_technology: type: keyword
netflow.reverse_packet_delta_count: type: long
netflow.reverse_packet_total_count: type: long
netflow.reverse_payload: type: keyword
netflow.reverse_payload_entropy: type: short
netflow.reverse_payload_length_ipv6: type: integer
netflow.reverse_port_id: type: long
netflow.reverse_port_range_end: type: integer
netflow.reverse_port_range_num_ports: type: integer
netflow.reverse_port_range_start: type: integer
netflow.reverse_port_range_step_size: type: integer
netflow.reverse_post_destination_mac_address: type: keyword
netflow.reverse_post_dot1q_customer_vlan_id: type: integer
netflow.reverse_post_dot1q_vlan_id: type: integer
netflow.reverse_post_ip_class_of_service: type: short
netflow.reverse_post_ip_diff_serv_code_point: type: short
netflow.reverse_post_ip_precedence: type: short
netflow.reverse_post_layer2_octet_delta_count: type: long
netflow.reverse_post_layer2_octet_total_count: type: long
netflow.reverse_post_mcast_layer2_octet_delta_count: type: long
netflow.reverse_post_mcast_layer2_octet_total_count: type: long
netflow.reverse_post_mcast_octet_delta_count: type: long
netflow.reverse_post_mcast_octet_total_count: type: long
netflow.reverse_post_mcast_packet_delta_count: type: long
netflow.reverse_post_mcast_packet_total_count: type: long
netflow.reverse_post_mpls_top_label_exp: type: short
netflow.reverse_post_napt_destination_transport_port: type: integer
netflow.reverse_post_napt_source_transport_port: type: integer
netflow.reverse_post_nat_destination_ipv4_address: type: ip
netflow.reverse_post_nat_destination_ipv6_address: type: ip
netflow.reverse_post_nat_source_ipv4_address: type: ip
netflow.reverse_post_nat_source_ipv6_address: type: ip
netflow.reverse_post_octet_delta_count: type: long
netflow.reverse_post_octet_total_count: type: long
netflow.reverse_post_packet_delta_count: type: long
netflow.reverse_post_packet_total_count: type: long
netflow.reverse_post_source_mac_address: type: keyword
netflow.reverse_post_vlan_id: type: integer
netflow.reverse_private_enterprise_number: type: long
netflow.reverse_protocol_identifier: type: short
netflow.reverse_pseudo_wire_control_word: type: long
netflow.reverse_pseudo_wire_destination_ipv4_address: type: ip
netflow.reverse_pseudo_wire_id: type: long
netflow.reverse_pseudo_wire_type: type: integer
netflow.reverse_relative_error: type: double
netflow.reverse_responder_octets: type: long
netflow.reverse_responder_packets: type: long
netflow.reverse_rfc3550_jitter_microseconds: type: long
netflow.reverse_rfc3550_jitter_milliseconds: type: long
netflow.reverse_rfc3550_jitter_nanoseconds: type: long
netflow.reverse_rtp_payload_type: type: short
netflow.reverse_rtp_sequence_number: type: integer
netflow.reverse_sampler_id: type: short
netflow.reverse_sampler_mode: type: short
netflow.reverse_sampler_name: type: keyword
netflow.reverse_sampler_random_interval: type: long
netflow.reverse_sampling_algorithm: type: short
netflow.reverse_sampling_flow_interval: type: long
netflow.reverse_sampling_flow_spacing: type: long
netflow.reverse_sampling_interval: type: long
netflow.reverse_sampling_packet_interval: type: long
netflow.reverse_sampling_packet_space: type: long
netflow.reverse_sampling_population: type: long
netflow.reverse_sampling_probability: type: double
netflow.reverse_sampling_size: type: long
netflow.reverse_sampling_time_interval: type: long
netflow.reverse_sampling_time_space: type: long
netflow.reverse_second_packet_banner: type: keyword
netflow.reverse_section_exported_octets: type: integer
netflow.reverse_section_offset: type: integer
netflow.reverse_selection_sequence_id: type: long
netflow.reverse_selector_algorithm: type: integer
netflow.reverse_selector_id: type: long
netflow.reverse_selector_id_total_flows_observed: type: long
netflow.reverse_selector_id_total_flows_selected: type: long
netflow.reverse_selector_id_total_pkts_observed: type: long
netflow.reverse_selector_id_total_pkts_selected: type: long
netflow.reverse_selector_name: type: keyword
netflow.reverse_session_scope: type: short
netflow.reverse_small_packet_count: type: long
netflow.reverse_source_ipv4_address: type: ip
netflow.reverse_source_ipv4_prefix: type: ip
netflow.reverse_source_ipv4_prefix_length: type: short
netflow.reverse_source_ipv6_address: type: ip
netflow.reverse_source_ipv6_prefix: type: ip
netflow.reverse_source_ipv6_prefix_length: type: short
netflow.reverse_source_mac_address: type: keyword
netflow.reverse_source_transport_port: type: integer
netflow.reverse_src_traffic_index: type: long
netflow.reverse_sta_ipv4_address: type: ip
netflow.reverse_sta_mac_address: type: keyword
netflow.reverse_standard_deviation_interarrival_time: type: long
netflow.reverse_standard_deviation_payload_length: type: integer
netflow.reverse_system_init_time_milliseconds: type: long
netflow.reverse_tcp_ack_total_count: type: long
netflow.reverse_tcp_acknowledgement_number: type: long
netflow.reverse_tcp_control_bits: type: integer
netflow.reverse_tcp_destination_port: type: integer
netflow.reverse_tcp_fin_total_count: type: long
netflow.reverse_tcp_header_length: type: short
netflow.reverse_tcp_options: type: long
netflow.reverse_tcp_psh_total_count: type: long
netflow.reverse_tcp_rst_total_count: type: long
netflow.reverse_tcp_sequence_number: type: long
netflow.reverse_tcp_source_port: type: integer
netflow.reverse_tcp_syn_total_count: type: long
netflow.reverse_tcp_urg_total_count: type: long
netflow.reverse_tcp_urgent_pointer: type: integer
netflow.reverse_tcp_window_scale: type: integer
netflow.reverse_tcp_window_size: type: integer
netflow.reverse_total_length_ipv4: type: integer
netflow.reverse_transport_octet_delta_count: type: long
netflow.reverse_transport_packet_delta_count: type: long
netflow.reverse_tunnel_technology: type: keyword
netflow.reverse_udp_destination_port: type: integer
netflow.reverse_udp_message_length: type: integer
netflow.reverse_udp_source_port: type: integer
netflow.reverse_union_tcp_flags: type: short
netflow.reverse_upper_ci_limit: type: double
netflow.reverse_user_name: type: keyword
netflow.reverse_value_distribution_method: type: short
netflow.reverse_virtual_station_interface_id: type: keyword
netflow.reverse_virtual_station_interface_name: type: keyword
netflow.reverse_virtual_station_name: type: keyword
netflow.reverse_virtual_station_uuid: type: keyword
netflow.reverse_vlan_id: type: integer
netflow.reverse_vr_fname: type: keyword
netflow.reverse_wlan_channel_id: type: short
netflow.reverse_wlan_ssid: type: keyword
netflow.reverse_wtp_mac_address: type: keyword
netflow.rfc3550_jitter_microseconds: type: long
netflow.rfc3550_jitter_milliseconds: type: long
netflow.rfc3550_jitter_nanoseconds: type: long
netflow.rtp_payload_type: type: short
netflow.rtp_sequence_number: type: integer
netflow.sampler_id: type: short
netflow.sampler_mode: type: short
netflow.sampler_name: type: keyword
netflow.sampler_random_interval: type: long
netflow.sampling_algorithm: type: short
netflow.sampling_flow_interval: type: long
netflow.sampling_flow_spacing: type: long
netflow.sampling_interval: type: long
netflow.sampling_packet_interval: type: long
netflow.sampling_packet_space: type: long
netflow.sampling_population: type: long
netflow.sampling_probability: type: double
netflow.sampling_size: type: long
netflow.sampling_time_interval: type: long
netflow.sampling_time_space: type: long
netflow.second_packet_banner: type: keyword
netflow.section_exported_octets: type: integer
netflow.section_offset: type: integer
netflow.selection_sequence_id: type: long
netflow.selector_algorithm: type: integer
netflow.selector_id: type: long
netflow.selector_id_total_flows_observed: type: long
netflow.selector_id_total_flows_selected: type: long
netflow.selector_id_total_pkts_observed: type: long
netflow.selector_id_total_pkts_selected: type: long
netflow.selector_name: type: keyword
netflow.service_name: type: keyword
netflow.session_scope: type: short
netflow.silk_app_label: type: integer
netflow.small_packet_count: type: long
netflow.source_ipv4_address: type: ip
netflow.source_ipv4_prefix: type: ip
netflow.source_ipv4_prefix_length: type: short
netflow.source_ipv6_address: type: ip
netflow.source_ipv6_prefix: type: ip
netflow.source_ipv6_prefix_length: type: short
netflow.source_mac_address: type: keyword
netflow.source_transport_port: type: integer
netflow.source_transport_ports_limit: type: integer
netflow.src_traffic_index: type: long
netflow.ssl_cert_serial_number: type: keyword
netflow.ssl_cert_signature: type: keyword
netflow.ssl_cert_validity_not_after: type: keyword
netflow.ssl_cert_validity_not_before: type: keyword
netflow.ssl_cert_version: type: short
netflow.ssl_certificate_hash: type: keyword
netflow.ssl_cipher: type: keyword
netflow.ssl_client_version: type: short
netflow.ssl_compression_method: type: short
netflow.ssl_object_type: type: keyword
netflow.ssl_object_value: type: keyword
netflow.ssl_public_key_algorithm: type: keyword
netflow.ssl_public_key_length: type: keyword
netflow.ssl_server_cipher: type: long
netflow.ssl_server_name: type: keyword
netflow.sta_ipv4_address: type: ip
netflow.sta_mac_address: type: keyword
netflow.standard_deviation_interarrival_time: type: long
netflow.standard_deviation_payload_length: type: short
netflow.system_init_time_milliseconds: type: date
netflow.tcp_ack_total_count: type: long
netflow.tcp_acknowledgement_number: type: long
netflow.tcp_control_bits: type: integer
netflow.tcp_destination_port: type: integer
netflow.tcp_fin_total_count: type: long
netflow.tcp_header_length: type: short
netflow.tcp_options: type: long
netflow.tcp_psh_total_count: type: long
netflow.tcp_rst_total_count: type: long
netflow.tcp_sequence_number: type: long
netflow.tcp_source_port: type: integer
netflow.tcp_syn_total_count: type: long
netflow.tcp_urg_total_count: type: long
netflow.tcp_urgent_pointer: type: integer
netflow.tcp_window_scale: type: integer
netflow.tcp_window_size: type: integer
netflow.template_id: type: integer
netflow.tftp_filename: type: keyword
netflow.tftp_mode: type: keyword
netflow.timestamp: type: long
netflow.timestamp_absolute_monitoring-interval: type: long
netflow.total_length_ipv4: type: integer
netflow.traffic_type: type: short
netflow.transport_octet_delta_count: type: long
netflow.transport_packet_delta_count: type: long
netflow.tunnel_technology: type: keyword
netflow.udp_destination_port: type: integer
netflow.udp_message_length: type: integer
netflow.udp_source_port: type: integer
netflow.union_tcp_flags: type: short
netflow.upper_ci_limit: type: double
netflow.user_name: type: keyword
netflow.username: type: keyword
netflow.value_distribution_method: type: short
netflow.viptela_vpn_id: type: long
netflow.virtual_station_interface_id: type: short
netflow.virtual_station_interface_name: type: keyword
netflow.virtual_station_name: type: keyword
netflow.virtual_station_uuid: type: short
netflow.vlan_id: type: integer
netflow.vmware_egress_interface_attr: type: integer
netflow.vmware_ingress_interface_attr: type: integer
netflow.vmware_tenant_dest_ipv4: type: ip
netflow.vmware_tenant_dest_ipv6: type: ip
netflow.vmware_tenant_dest_port: type: integer
netflow.vmware_tenant_protocol: type: short
netflow.vmware_tenant_source_ipv4: type: ip
netflow.vmware_tenant_source_ipv6: type: ip
netflow.vmware_tenant_source_port: type: integer
netflow.vmware_vxlan_export_role: type: short
netflow.vpn_identifier: type: short
netflow.vr_fname: type: keyword
netflow.waasoptimization_segment: type: short
netflow.wlan_channel_id: type: short
netflow.wlan_ssid: type: keyword
netflow.wtp_mac_address: type: keyword
netflow.xlate_destination_address_ip_v4: type: ip
netflow.xlate_destination_port: type: integer
netflow.xlate_source_address_ip_v4: type: ip
netflow.xlate_source_port: type: integer

Arbor Peakflow SP fields

netscout fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

Nginx fields

Module for parsing the Nginx log files.

nginx

Fields from the Nginx log files.

access

Contains fields for the Nginx access logs.

nginx.access.remote_ip_list: An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like X-Forwarded-For. Real source IP is restored to source.ip.

type: array
nginx.access.body_sent.bytes: type: alias

alias to: http.response.body.bytes
nginx.access.user_name: type: alias

alias to: user.name
nginx.access.method: type: alias

alias to: http.request.method
nginx.access.url: type: alias

alias to: url.original
nginx.access.http_version: type: alias

alias to: http.version
nginx.access.response_code: type: alias

alias to: http.response.status_code
nginx.access.referrer: type: alias

alias to: http.request.referrer
nginx.access.agent: type: alias

alias to: user_agent.original
nginx.access.user_agent.device: type: alias

alias to: user_agent.device.name
nginx.access.user_agent.name: type: alias

alias to: user_agent.name
nginx.access.user_agent.os: type: alias

alias to: user_agent.os.full_name
nginx.access.user_agent.os_name: type: alias

alias to: user_agent.os.name
nginx.access.user_agent.original: type: alias

alias to: user_agent.original
nginx.access.geoip.continent_name: type: alias

alias to: source.geo.continent_name
nginx.access.geoip.country_iso_code: type: alias

alias to: source.geo.country_iso_code
nginx.access.geoip.location: type: alias

alias to: source.geo.location
nginx.access.geoip.region_name: type: alias

alias to: source.geo.region_name
nginx.access.geoip.city_name: type: alias

alias to: source.geo.city_name
nginx.access.geoip.region_iso_code: type: alias

alias to: source.geo.region_iso_code

error

Contains fields for the Nginx error logs.

nginx.error.connection_id: Connection identifier.

type: long
nginx.error.level: type: alias

alias to: log.level
nginx.error.pid: type: alias

alias to: process.pid
nginx.error.tid: type: alias

alias to: process.thread.id
nginx.error.message: type: alias

alias to: message

ingress_controller

Contains fields for the Ingress Nginx controller access logs.

nginx.ingress_controller.remote_ip_list: An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like X-Forwarded-For. Real source IP is restored to source.ip.

type: array
nginx.ingress_controller.upstream_address_list: An array of the upstream addresses. It is a list because it is common that several upstream servers were contacted during request processing.

type: keyword
nginx.ingress_controller.upstream.response.length_list: An array of upstream response lengths. It is a list because it is common that several upstream servers were contacted during request processing.

type: keyword
nginx.ingress_controller.upstream.response.time_list: An array of upstream response durations. It is a list because it is common that several upstream servers were contacted during request processing.

type: keyword
nginx.ingress_controller.upstream.response.status_code_list: An array of upstream response status codes. It is a list because it is common that several upstream servers were contacted during request processing.

type: keyword
nginx.ingress_controller.http.request.length: The request length (including request line, header, and request body)

type: long

format: bytes
nginx.ingress_controller.http.request.time: Time elapsed since the first bytes were read from the client

type: double

format: duration
nginx.ingress_controller.upstream.name: The name of the upstream.

type: keyword
nginx.ingress_controller.upstream.alternative_name: The name of the alternative upstream.

type: keyword
nginx.ingress_controller.upstream.response.length: The length of the response obtained from the upstream server. If several servers were contacted during request process, the summary of the multiple response lengths is stored.

type: long

format: bytes
nginx.ingress_controller.upstream.response.time: The time spent on receiving the response from the upstream as seconds with millisecond resolution. If several servers were contacted during request process, the summary of the multiple response times is stored.

type: double

format: duration
nginx.ingress_controller.upstream.response.status_code: The status code of the response obtained from the upstream server. If several servers were contacted during request process, only the status code of the response from the last one is stored in this field.

type: long
nginx.ingress_controller.upstream.ip: The IP address of the upstream server. If several servers were contacted during request process, only the last one is stored in this field.

type: ip
nginx.ingress_controller.upstream.port: The port of the upstream server. If several servers were contacted during request process, only the last one is stored in this field.

type: long
nginx.ingress_controller.http.request.id: The randomly generated ID of the request

type: keyword
nginx.ingress_controller.body_sent.bytes: type: alias

alias to: http.response.body.bytes
nginx.ingress_controller.user_name: type: alias

alias to: user.name
nginx.ingress_controller.method: type: alias

alias to: http.request.method
nginx.ingress_controller.url: type: alias

alias to: url.original
nginx.ingress_controller.http_version: type: alias

alias to: http.version
nginx.ingress_controller.response_code: type: alias

alias to: http.response.status_code
nginx.ingress_controller.referrer: type: alias

alias to: http.request.referrer
nginx.ingress_controller.agent: type: alias

alias to: user_agent.original
nginx.ingress_controller.user_agent.device: type: alias

alias to: user_agent.device.name
nginx.ingress_controller.user_agent.name: type: alias

alias to: user_agent.name
nginx.ingress_controller.user_agent.os: type: alias

alias to: user_agent.os.full_name
nginx.ingress_controller.user_agent.os_name: type: alias

alias to: user_agent.os.name
nginx.ingress_controller.user_agent.original: type: alias

alias to: user_agent.original
nginx.ingress_controller.geoip.continent_name: type: alias

alias to: source.geo.continent_name
nginx.ingress_controller.geoip.country_iso_code: type: alias

alias to: source.geo.country_iso_code
nginx.ingress_controller.geoip.location: type: alias

alias to: source.geo.location
nginx.ingress_controller.geoip.region_name: type: alias

alias to: source.geo.region_name
nginx.ingress_controller.geoip.city_name: type: alias

alias to: source.geo.city_name
nginx.ingress_controller.geoip.region_iso_code: type: alias

alias to: source.geo.region_iso_code

Office 365 fields

Module for handling logs from Office 365.

o365.audit

Fields from Office 365 Management API audit logs.

o365.audit.AADGroupId: type: keyword
o365.audit.Actor: type: array
o365.audit.ActorContextId: type: keyword
o365.audit.ActorIpAddress: type: keyword
o365.audit.ActorUserId: type: keyword
o365.audit.ActorYammerUserId: type: keyword
o365.audit.AlertEntityId: type: keyword
o365.audit.AlertId: type: keyword
o365.audit.AlertLinks: type: array
o365.audit.AlertType: type: keyword
o365.audit.AppId: type: keyword
o365.audit.ApplicationDisplayName: type: keyword
o365.audit.ApplicationId: type: keyword
o365.audit.AzureActiveDirectoryEventType: type: keyword
o365.audit.ExchangeMetaData.*: type: object
o365.audit.Category: type: keyword
o365.audit.ClientAppId: type: keyword
o365.audit.ClientInfoString: type: keyword
o365.audit.ClientIP: type: keyword
o365.audit.ClientIPAddress: type: keyword
o365.audit.Comments: type: text
o365.audit.CommunicationType: type: keyword
o365.audit.CorrelationId: type: keyword
o365.audit.CreationTime: type: keyword
o365.audit.CustomUniqueId: type: keyword
o365.audit.Data: type: keyword
o365.audit.DataType: type: keyword
o365.audit.DoNotDistributeEvent: type: boolean
o365.audit.EntityType: type: keyword
o365.audit.ErrorNumber: type: keyword
o365.audit.EventData: type: keyword
o365.audit.EventSource: type: keyword
o365.audit.ExceptionInfo.*: type: object
o365.audit.ExtendedProperties.*: type: object
o365.audit.ExternalAccess: type: keyword
o365.audit.FromApp: type: boolean
o365.audit.GroupName: type: keyword
o365.audit.Id: type: keyword
o365.audit.ImplicitShare: type: keyword
o365.audit.IncidentId: type: keyword
o365.audit.InternalLogonType: type: keyword
o365.audit.InterSystemsId: type: keyword
o365.audit.IntraSystemId: type: keyword
o365.audit.IsDocLib: type: boolean
o365.audit.Item.*: type: object
o365.audit.Item..: type: object
o365.audit.ItemCount: type: long
o365.audit.ItemName: type: keyword
o365.audit.ItemType: type: keyword
o365.audit.ListBaseTemplateType: type: keyword
o365.audit.ListBaseType: type: keyword
o365.audit.ListColor: type: keyword
o365.audit.ListIcon: type: keyword
o365.audit.ListId: type: keyword
o365.audit.ListTitle: type: keyword
o365.audit.ListItemUniqueId: type: keyword
o365.audit.LogonError: type: keyword
o365.audit.LogonType: type: keyword
o365.audit.LogonUserSid: type: keyword
o365.audit.MailboxGuid: type: keyword
o365.audit.MailboxOwnerMasterAccountSid: type: keyword
o365.audit.MailboxOwnerSid: type: keyword
o365.audit.MailboxOwnerUPN: type: keyword
o365.audit.Members: type: array
o365.audit.Members.*: type: object
o365.audit.ModifiedProperties..: type: object
o365.audit.Name: type: keyword
o365.audit.ObjectId: type: keyword
o365.audit.Operation: type: keyword
o365.audit.OrganizationId: type: keyword
o365.audit.OrganizationName: type: keyword
o365.audit.OriginatingServer: type: keyword
o365.audit.Parameters.*: type: object
o365.audit.PolicyDetails: type: array
o365.audit.PolicyId: type: keyword
o365.audit.RecordType: type: keyword
o365.audit.ResultStatus: type: keyword
o365.audit.SensitiveInfoDetectionIsIncluded: type: keyword
o365.audit.SharePointMetaData.*: type: object
o365.audit.SessionId: type: keyword
o365.audit.Severity: type: keyword
o365.audit.Site: type: keyword
o365.audit.SiteUrl: type: keyword
o365.audit.Source: type: keyword
o365.audit.SourceFileExtension: type: keyword
o365.audit.SourceFileName: type: keyword
o365.audit.SourceRelativeUrl: type: keyword
o365.audit.Status: type: keyword
o365.audit.SupportTicketId: type: keyword
o365.audit.Target: type: array
o365.audit.TargetContextId: type: keyword
o365.audit.TargetUserOrGroupName: type: keyword
o365.audit.TargetUserOrGroupType: type: keyword
o365.audit.TeamName: type: keyword
o365.audit.TeamGuid: type: keyword
o365.audit.TemplateTypeId: type: keyword
o365.audit.UniqueSharingId: type: keyword
o365.audit.UserAgent: type: keyword
o365.audit.UserId: type: keyword
o365.audit.UserKey: type: keyword
o365.audit.UserType: type: keyword
o365.audit.Version: type: keyword
o365.audit.WebId: type: keyword
o365.audit.Workload: type: keyword
o365.audit.YammerNetworkId: type: keyword

Okta fields

Module for handling system logs from Okta.

okta

Fields from Okta.

okta.uuid: The unique identifier of the Okta LogEvent.

type: keyword
okta.event_type: The type of the LogEvent.

type: keyword
okta.version: The version of the LogEvent.

type: keyword
okta.severity: The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.

type: keyword
okta.display_message: The display message of the LogEvent.

type: keyword

actor

Fields that let you store information of the actor for the LogEvent.

okta.actor.id: Identifier of the actor.

type: keyword
okta.actor.type: Type of the actor.

type: keyword
okta.actor.alternate_id: Alternate identifier of the actor.

type: keyword
okta.actor.display_name: Display name of the actor.

type: keyword

client

Fields that let you store information about the client of the actor.

okta.client.ip: The IP address of the client.

type: ip

user_agent

Fields about the user agent information of the client.

okta.client.user_agent.raw_user_agent: The raw informaton of the user agent.

type: keyword
okta.client.user_agent.os: The OS informaton.

type: keyword
okta.client.user_agent.browser: The browser informaton of the client.

type: keyword
okta.client.zone: The zone information of the client.

type: keyword
okta.client.device: The information of the client device.

type: keyword
okta.client.id: The identifier of the client.

type: keyword

outcome

Fields that let you store information about the outcome.

okta.outcome.reason: The reason of the outcome.

type: keyword
okta.outcome.result: The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.

type: keyword
okta.target: The list of targets.

type: flattened

transaction

Fields that let you store information about related transaction.

okta.transaction.id: Identifier of the transaction.

type: keyword
okta.transaction.type: The type of transaction. Must be one of "WEB", "JOB".

type: keyword

debug_context

Fields that let you store information about the debug context.

debug_data

The debug data.

okta.debug_context.debug_data.device_fingerprint: The fingerprint of the device.

type: keyword
okta.debug_context.debug_data.factor: The factor used for authentication.

type: keyword
okta.debug_context.debug_data.request_id: The identifier of the request.

type: keyword
okta.debug_context.debug_data.request_uri: The request URI.

type: keyword
okta.debug_context.debug_data.threat_suspected: Threat suspected.

type: keyword
okta.debug_context.debug_data.risk_behaviors: The set of behaviors that contribute to a risk assessment.

type: keyword
okta.debug_context.debug_data.risk_level: The risk level assigned to the sign in attempt.

type: keyword
okta.debug_context.debug_data.risk_reasons: The reasons for the risk.

type: keyword
okta.debug_context.debug_data.url: The URL.

type: keyword
okta.debug_context.debug_data.flattened: The complete debug_data object.

type: flattened

suspicious_activity

The suspicious activity fields from the debug data.

okta.debug_context.debug_data.suspicious_activity.browser: The browser used.

type: keyword
okta.debug_context.debug_data.suspicious_activity.event_city: The city where the suspicious activity took place.

type: keyword
okta.debug_context.debug_data.suspicious_activity.event_country: The country where the suspicious activity took place.

type: keyword
okta.debug_context.debug_data.suspicious_activity.event_id: The event ID.

type: keyword
okta.debug_context.debug_data.suspicious_activity.event_ip: The IP of the suspicious event.

type: ip
okta.debug_context.debug_data.suspicious_activity.event_latitude: The latitude where the suspicious activity took place.

type: float
okta.debug_context.debug_data.suspicious_activity.event_longitude: The longitude where the suspicious activity took place.

type: float
okta.debug_context.debug_data.suspicious_activity.event_state: The state where the suspicious activity took place.

type: keyword
okta.debug_context.debug_data.suspicious_activity.event_transaction_id: The event transaction ID.

type: keyword
okta.debug_context.debug_data.suspicious_activity.event_type: The event type.

type: keyword
okta.debug_context.debug_data.suspicious_activity.os: The OS of the system from where the suspicious activity occured.

type: keyword
okta.debug_context.debug_data.suspicious_activity.timestamp: The timestamp of when the activity occurred.

type: date

authentication_context

Fields that let you store information about authentication context.

okta.authentication_context.authentication_provider: The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.

type: keyword
okta.authentication_context.authentication_step: The authentication step.

type: integer
okta.authentication_context.credential_provider: The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.

type: keyword
okta.authentication_context.credential_type: The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.

type: keyword
okta.authentication_context.issuer: The information about the issuer.

type: array
okta.authentication_context.external_session_id: The session identifer of the external session if any.

type: keyword
okta.authentication_context.interface: The interface used. e.g., Outlook, Office365, wsTrust

type: keyword

security_context

Fields that let you store information about security context.

as

The autonomous system.

okta.security_context.as.number: The AS number.

type: integer

organization

The organization that owns the AS number.

okta.security_context.as.organization.name: The organization name.

type: keyword
okta.security_context.isp: The Internet Service Provider.

type: keyword
okta.security_context.domain: The domain name.

type: keyword
okta.security_context.is_proxy: Whether it is a proxy or not.

type: boolean

request

Fields that let you store information about the request, in the form of list of ip_chain.

okta.request.ip_chain: List of ip_chain objects.

type: flattened

Oracle fields

Oracle Module

oracle

Fields from Oracle logs.

database_audit

Module for parsing Oracle Database audit logs

oracle.database_audit.priv_used: System privilege used to execute the action.

type: integer
oracle.database_audit.logoff_pread: Physical reads for the session.

type: integer
oracle.database_audit.logoff_lread: Logical reads for the session.

type: integer
oracle.database_audit.logoff_lwrite: Logical writes for the session.

type: integer
oracle.database_audit.logoff_dead: Deadlocks detected during the session.

type: integer
oracle.database_audit.sessioncpu: Amount of CPU time used by each Oracle session.

type: integer
oracle.database_audit.returncode: Oracle error code generated by the action.

type: integer
oracle.database_audit.statement: nth statement in the user session.

type: integer
oracle.database_audit.userid: Name of the user whose actions were audited.

type: keyword
oracle.database_audit.entryid: Numeric ID for each audit trail entry in the session. The entry ID is an index of a session’s audit entries that starts at 1 and increases to the number of entries that are written.

type: integer
oracle.database_audit.comment_text: Text comment on the audit trail entry, providing more information about the statement audited.

type: text
oracle.database_audit.os_userid: Operating system login username of the user whose actions were audited.

type: keyword
oracle.database_audit.terminal: Identifier of the user’s terminal.

type: text
oracle.database_audit.status: Database Audit Status.

type: keyword
oracle.database_audit.session_id: Indicates the audit session ID number.

type: keyword
oracle.database_audit.client.terminal: If available, the client terminal type, for example "pty".

type: keyword
oracle.database_audit.client.address: The IP Address or Domain used by the client.

type: keyword
oracle.database_audit.client.user: The user running the client or connection to the database.

type: keyword
oracle.database_audit.database.user: The database user used to authenticate.

type: keyword
oracle.database_audit.privilege: The privilege group related to the database user.

type: keyword
oracle.database_audit.entry.id: Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records.

type: keyword
oracle.database_audit.database.host: Client host machine name.

type: keyword
oracle.database_audit.action: The action performed during the audit event. This could for example be the raw query.

type: keyword
oracle.database_audit.action_number: Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON.

type: keyword
oracle.database_audit.database.id: Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view.

type: keyword
oracle.database_audit.length: Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record.

type: long

Osquery fields

Fields exported by the osquery module

osquery

result

Common fields exported by the result metricset.

osquery.result.name: The name of the query that generated this event.

type: keyword
osquery.result.action: For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot".

type: keyword
osquery.result.host_identifier: The identifier for the host on which the osquery agent is running. Normally the hostname.

type: keyword
osquery.result.unix_time: Unix timestamp of the event, in seconds since the epoch. Used for computing the @timestamp column.

type: long
osquery.result.calendar_time: String representation of the collection time, as formatted by osquery.

type: keyword

panw fields

Module for Palo Alto Networks (PAN-OS)

panw

Fields from the panw module.

panos

Fields for the Palo Alto Networks PAN-OS logs.

panw.panos.ruleset: Name of the rule that matched this session.

type: keyword

source

Fields to extend the top-level source object.

panw.panos.source.zone: Source zone for this session.

type: keyword
panw.panos.source.interface: Source interface for this session.

type: keyword

nat

Post-NAT source address, if source NAT is performed.

panw.panos.source.nat.ip: Post-NAT source IP.

type: ip
panw.panos.source.nat.port: Post-NAT source port.

type: long

destination

Fields to extend the top-level destination object.

panw.panos.destination.zone: Destination zone for this session.

type: keyword
panw.panos.destination.interface: Destination interface for this session.

type: keyword

nat

Post-NAT destination address, if destination NAT is performed.

panw.panos.destination.nat.ip: Post-NAT destination IP.

type: ip
panw.panos.destination.nat.port: Post-NAT destination port.

type: long
panw.panos.endreason: The reason a session terminated.

type: keyword

network

Fields to extend the top-level network object.

panw.panos.network.pcap_id: Packet capture ID for a threat.

type: keyword
panw.panos.network.nat.community_id: Community ID flow-hash for the NAT 5-tuple.

type: keyword

file

Fields to extend the top-level file object.

panw.panos.file.hash: Binary hash for a threat file sent to be analyzed by the WildFire service.

type: keyword

url

Fields to extend the top-level url object.

panw.panos.url.category: For threat URLs, it’s the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'.

type: keyword
panw.panos.flow_id: Internal numeric identifier for each session.

type: keyword
panw.panos.sequence_number: Log entry identifier that is incremented sequentially. Unique for each log type.

type: long
panw.panos.threat.resource: URL or file name for a threat.

type: keyword
panw.panos.threat.id: Palo Alto Networks identifier for the threat.

type: keyword
panw.panos.threat.name: Palo Alto Networks name for the threat.

type: keyword
panw.panos.action: Action taken for the session.

type: keyword
panw.panos.type: Specifies the type of the log
panw.panos.sub_type: Specifies the sub type of the log
panw.panos.virtual_sys: Virtual system instance

type: keyword
panw.panos.client_os_ver: The client device’s OS version.

type: keyword
panw.panos.client_os: The client device’s OS version.

type: keyword
panw.panos.client_ver: The client’s GlobalProtect app version.

type: keyword
panw.panos.stage: A string showing the stage of the connection

type: keyword

example: before-login
panw.panos.actionflags: A bit field indicating if the log was forwarded to Panorama.

type: keyword
panw.panos.error: A string showing that error that has occurred in any event.

type: keyword
panw.panos.error_code: An integer associated with any errors that occurred.

type: integer
panw.panos.repeatcnt: The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred.

type: integer
panw.panos.serial_number: The serial number of the user’s machine or device.

type: keyword
panw.panos.auth_method: A string showing the authentication type

type: keyword

example: LDAP
panw.panos.datasource: Source from which mapping information is collected.

type: keyword
panw.panos.datasourcetype: Mechanism used to identify the IP/User mappings within a data source.

type: keyword
panw.panos.datasourcename: User-ID source that sends the IP (Port)-User Mapping.

type: keyword
panw.panos.factorno: Indicates the use of primary authentication (1) or additional factors (2, 3).

type: integer
panw.panos.factortype: Vendor used to authenticate a user when Multi Factor authentication is present.

type: keyword
panw.panos.factorcompletiontime: Time the authentication was completed.

type: date
panw.panos.ugflags: Displays whether the user group that was found during user group mapping. Supported values are: User Group Found—Indicates whether the user could be mapped to a group. Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.

type: keyword

device_group_hierarchy

A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.

panw.panos.device_group_hierarchy.level_1: A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.

type: keyword
panw.panos.device_group_hierarchy.level_2: A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.

type: keyword
panw.panos.device_group_hierarchy.level_3: A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.

type: keyword
panw.panos.device_group_hierarchy.level_4: A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.

type: keyword
panw.panos.timeout: Timeout after which the IP/User Mappings are cleared.

type: integer
panw.panos.vsys_id: A unique identifier for a virtual system on a Palo Alto Networks firewall.

type: keyword
panw.panos.vsys_name: The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.

type: keyword
panw.panos.description: Additional information for any event that has occurred.

type: keyword
panw.panos.tunnel_type: The type of tunnel (either SSLVPN or IPSec).

type: keyword
panw.panos.connect_method: A string showing the how the GlobalProtect app connects to Gateway

type: keyword
panw.panos.matchname: Name of the HIP object or profile.

type: keyword
panw.panos.matchtype: Whether the hip field represents a HIP object or a HIP profile.

type: keyword
panw.panos.priority: The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect.

type: keyword
panw.panos.response_time: The SSL response time of the selected gateway that is measured in milliseconds on the endpoint during tunnel setup.

type: keyword
panw.panos.attempted_gateways: The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority

type: keyword
panw.panos.gateway: The name of the gateway that is specified on the portal configuration.

type: keyword
panw.panos.selection_type: The connection method that is selected to connect to the gateway.

type: keyword

Pensando fields

pensando Module

pensando

Fields from Pensando logs.

dfw

Fields for Pensando DFW

pensando.dfw.action: Action on the flow.

type: keyword
pensando.dfw.app_id: Application ID

type: integer
pensando.dfw.destination_address: Address of destination.

type: keyword
pensando.dfw.destination_port: Port of destination.

type: integer
pensando.dfw.direction: Direction of the flow

type: keyword
pensando.dfw.protocol: Protocol of the flow

type: keyword
pensando.dfw.rule_id: Rule ID that was matched.

type: keyword
pensando.dfw.session_id: Session ID of the flow

type: integer
pensando.dfw.session_state: Session state of the flow.

type: keyword
pensando.dfw.source_address: Source address of the flow.

type: keyword
pensando.dfw.source_port: Source port of the flow.

type: integer
pensando.dfw.timestamp: Timestamp of the log.

type: date

PostgreSQL fields

Module for parsing the PostgreSQL log files.

postgresql

Fields from PostgreSQL logs.

log

Fields from the PostgreSQL log files.

postgresql.log.timestamp: deprecated:[7.3.0]

The timestamp from the log line.
postgresql.log.core_id: deprecated:[8.0.0]

Core id. (deprecated, there is no core_id in PostgreSQL logs, this is actually session_line_number).

type: alias

alias to: postgresql.log.session_line_number
postgresql.log.client_addr: Host where the connection originated from.

example: 127.0.0.1
postgresql.log.client_port: Port where the connection originated from.

example: 59700
postgresql.log.session_id: PostgreSQL session.

example: 5ff1dd98.22
postgresql.log.session_line_number: Line number inside a session. (%l in log_line_prefix).

type: long
postgresql.log.database: Name of database.

example: postgres
postgresql.log.query: Query statement. In the case of CSV parse, look at command_tag to get more context.

example: SELECT * FROM users;
postgresql.log.query_step: Statement step when using extended query protocol (one of statement, parse, bind or execute).

example: parse
postgresql.log.query_name: Name given to a query when using extended query protocol. If it is "<unnamed>", or not present, this field is ignored.

example: pdo_stmt_00000001
postgresql.log.command_tag: Type of session’s current command. The complete list can be found at: src/include/tcop/cmdtaglist.h

example: SELECT
postgresql.log.session_start_time: Time when this session started.

type: date
postgresql.log.virtual_transaction_id: Backend local transaction id.
postgresql.log.transaction_id: The id of current transaction.

type: long
postgresql.log.sql_state_code: State code returned by Postgres (if any). See also https://www.postgresql.org/docs/current/errcodes-appendix.html

type: keyword
postgresql.log.detail: More information about the message, parameters in case of a parametrized query. e.g. 'Role \"user\" does not exist.', 'parameters: $1 = 42', etc.
postgresql.log.hint: A possible solution to solve an error.
postgresql.log.internal_query: Internal query that led to the error (if any).
postgresql.log.internal_query_pos: Character count of the internal query (if any).

type: long
postgresql.log.context: Error context.
postgresql.log.query_pos: Character count of the error position (if any).

type: long
postgresql.log.location: Location of the error in the PostgreSQL source code (if log_error_verbosity is set to verbose).
postgresql.log.application_name: Name of the application of this event. It is defined by the client.
postgresql.log.backend_type: Type of backend of this event. Possible types are autovacuum launcher, autovacuum worker, logical replication launcher, logical replication worker, parallel worker, background writer, client backend, checkpointer, startup, walreceiver, walsender and walwriter. In addition, background workers registered by extensions may have additional types.

example: client backend
postgresql.log.error.code: deprecated:[8.0.0]

Error code returned by Postgres (if any). Deprecated: errors can have letters. Use sql_state_code instead.

type: alias

alias to: postgresql.log.sql_state_code
postgresql.log.timezone: type: alias

alias to: event.timezone
postgresql.log.user: type: alias

alias to: user.name
postgresql.log.level: Valid values are DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC.

type: alias

example: LOG

alias to: log.level
postgresql.log.message: type: alias

alias to: message

Process fields

Process metadata fields

process.exe: type: alias

alias to: process.executable

owner

Process owner information.

process.owner.id: Unique identifier of the user.

type: keyword
process.owner.name: Short name or login of the user.

type: keyword

example: albert
process.owner.name.text: type: text

Proofpoint Email Security fields

proofpoint fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

RabbitMQ fields

RabbitMQ Module

rabbitmq

log

RabbitMQ log files

rabbitmq.log.pid: The Erlang process id

type: keyword

example: <0.222.0>

Radware DefensePro fields

radware fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

Redis fields

Redis Module

redis

log

Redis log files

redis.log.role: The role of the Redis instance. Can be one of master, slave, child (for RDF/AOF writing child), or sentinel.

type: keyword
redis.log.pid: type: alias

alias to: process.pid
redis.log.level: type: alias

alias to: log.level
redis.log.message: type: alias

alias to: message

slowlog

Slow logs are retrieved from Redis via a network connection.

redis.slowlog.cmd: The command executed.

type: keyword
redis.slowlog.duration.us: How long it took to execute the command in microseconds.

type: long
redis.slowlog.id: The ID of the query.

type: long
redis.slowlog.key: The key on which the command was executed.

type: keyword
redis.slowlog.args: The arguments with which the command was called.

type: keyword

s3 fields

S3 fields from s3 input.

bucket.name: Name of the S3 bucket that this log retrieved from.

type: keyword
bucket.arn: ARN of the S3 bucket that this log retrieved from.

type: keyword
object.key: Name of the S3 object that this log retrieved from.

type: keyword
metadata: AWS S3 object metadata values.

type: flattened

Salesforce fields

Salesforce Module

salesforce

Fileset for ingesting Salesforce Apex logs.

salesforce.access_mode: The mode of collecting logs from Salesforce - "rest" or "stream".

type: keyword

apex

Fileset for ingesting Salesforce Apex logs.

salesforce.apex.action: Action performed by the callout.

type: keyword
salesforce.apex.callout_time: Time spent waiting on webservice callouts, in milliseconds.

type: keyword
salesforce.apex.class_name: The Apex class name. If the class is part of a managed package, this string includes the package namespace.

type: keyword
salesforce.apex.client_name: The name of the client that’s using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didnt specify a client in the CallOptions header.

type: keyword
salesforce.apex.cpu_time: The CPU time in milliseconds used to complete the request.

type: keyword
salesforce.apex.db_blocks: Indicates how much activity is occurring in the database. A high value for this field suggests that adding indexes or filters on your queries would benefit performance.

type: keyword
salesforce.apex.db_cpu_time: The CPU time in milliseconds to complete the request. Indicates the amount of activity taking place in the database layer during the request.

type: keyword
salesforce.apex.db_total_time: Time (in milliseconds) spent waiting for database processing in aggregate for all operations in the request. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code.

type: keyword
salesforce.apex.entity: Name of the external object being accessed.

type: keyword
salesforce.apex.entity_name: The name of the object affected by the trigger.

type: keyword
salesforce.apex.entry_point: The entry point for this Apex execution.

type: keyword
salesforce.apex.event_type: The type of event. The value is always ApexCallout.

type: keyword
salesforce.apex.execute_ms: How long it took (in milliseconds) for Salesforce to prepare and execute the query. Available in API version 42.0 and later.

type: keyword
salesforce.apex.fetch_ms: How long it took (in milliseconds) to retrieve the query results from the external system. Available in API version 42.0 and later.

type: keyword
salesforce.apex.filter: Field expressions to filter which rows to return. Corresponds to WHERE in SOQL queries.

type: keyword
salesforce.apex.is_long_running_request: Indicates whether the request is counted against your org’s concurrent long-running Apex request limit (true) or not (false).

type: keyword
salesforce.apex.limit: Maximum number of rows to return for a query. Corresponds to LIMIT in SOQL queries.

type: keyword
salesforce.apex.limit_usage_percent: The percentage of Apex SOAP calls that were made against the organization’s limit.

type: keyword
salesforce.apex.login_key: The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring.

type: keyword
salesforce.apex.media_type: The media type of the response.

type: keyword
salesforce.apex.message: Error or warning message associated with the failed call.

type: keyword
salesforce.apex.method_name: The name of the calling Apex method.

type: keyword
salesforce.apex.number_fields: The number of fields or columns, where applicable.

type: keyword
salesforce.apex.number_soql_queries: The number of SOQL queries that were executed during the event.

type: keyword
salesforce.apex.offset: Number of rows to skip when paging through a result set. Corresponds to OFFSET in SOQL queries.

type: keyword
salesforce.apex.orderby: Field or column to use for sorting query results, and whether to sort the results in ascending (default) or descending order. Corresponds to ORDER BY in SOQL queries.

type: keyword
salesforce.apex.organization_id: The 15-character ID of the organization.

type: keyword
salesforce.apex.query: The SOQL query, if one was performed.

type: keyword
salesforce.apex.quiddity: The type of outer execution associated with this event.

type: keyword
salesforce.apex.request.id: The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID.

type: keyword
salesforce.apex.request.status: The status of the request for a page view or user interface action.

type: keyword
salesforce.apex.rows.total: Total number of records in the result set. The value is always -1 if the custom adapter’s DataSource.Provider class doesn’t declare the QUERY_TOTAL_SIZE capability.

type: keyword
salesforce.apex.rows.fetched: Number of rows fetched by the callout. Available in API version 42.0 and later.

type: keyword
salesforce.apex.rows.processed: The number of rows that were processed in the request.

type: keyword
salesforce.apex.run_time: Not used for this event type. Use the TIME field instead.

type: keyword
salesforce.apex.select: Comma-separated list of fields being queried. Corresponds to SELECT in SOQL queries.

type: keyword
salesforce.apex.subqueries: Reserved for future use.

type: keyword
salesforce.apex.throughput: Number of records retrieved in one second.

type: keyword
salesforce.apex.trigger.id: The 15-character ID of the trigger that was fired.

type: keyword
salesforce.apex.trigger.name: For triggers coming from managed packages, TRIGGER_NAME includes a namespace prefix separated with a . character. If no namespace prefix is present, the trigger is from an unmanaged trigger.

type: keyword
salesforce.apex.trigger.type: The type of this trigger.

type: keyword
salesforce.apex.type: The type of Apex callout.

type: keyword
salesforce.apex.uri: The URI of the page that’s receiving the request.

type: keyword
salesforce.apex.uri_id_derived: The 18-character case-safe ID of the URI of the page that’s receiving the request.

type: keyword
salesforce.apex.user_agent: The numeric code for the type of client used to make the request (for example, the browser, application, or API).

type: keyword
salesforce.apex.user_id_derived: The 18-character case-safe ID of the user who’s using Salesforce services through the UI or the API.

type: keyword

salesforce.login

Fileset for ingesting Salesforce Login (Streaming) logs.

salesforce.login.application: The application used to access the org. Possible values include: AppExchange, Browser, Salesforce for iOS, Salesforce Developers API Explorer, N/A

type: keyword
salesforce.login.auth_method_reference: The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol.

type: keyword
salesforce.login.auth_service_id: The 18-character ID for an authentication service for a login event.

type: keyword
salesforce.login.client_version: The version number of the login client. If no version number is available, “Unknown” is returned.

type: keyword
salesforce.login.created_by_id: Unavailable

type: keyword
salesforce.login.evaluation_time: The amount of time it took to evaluate the transaction security policy, in milliseconds.

type: keyword
salesforce.login.login_geo_id: The Salesforce ID of the LoginGeo object associated with the login user’s IP address.

type: keyword
salesforce.login.login_history_id: Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and LoginHistory objects, making it easier to trace events back to a user’s original authentication.

type: keyword
salesforce.login.login_type: The type of login used to access the session.

type: keyword
salesforce.login.policy_id: The ID of the transaction security policy associated with this event.

type: keyword
salesforce.login.policy_outcome: The result of the transaction policy.

type: keyword
salesforce.login.related_event_identifier: This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank.

type: keyword
salesforce.login.session_level: Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD

type: keyword

salesforce.logout

Fileset for parsing Salesforce Logout (Streaming) logs.

salesforce.logout.created_by_id: Unavailable

type: keyword
salesforce.logout.related_event_identifier: This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank.

type: keyword
salesforce.logout.replay_id: Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren’t guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window.

type: keyword
salesforce.logout.schema: Unavailable

type: keyword

salesforce.setup_audit_trail

Fileset for ingesting Salesforce SetupAuditTrail logs.

salesforce.setup_audit_trail.event_type: Event type

type: keyword
salesforce.setup_audit_trail.created_by_context: The context under which the Setup change was made. For example, if Einstein uses cloud-to-cloud services to make a change in Setup, the value of this field is Einstein.

type: keyword
salesforce.setup_audit_trail.created_by_id: Unknown

type: keyword
salesforce.setup_audit_trail.created_by_issuer: Reserved for future use.

type: keyword
salesforce.setup_audit_trail.delegate_user: The Login-As user who executed the action in Setup. If a Login-As user didn’t perform the action, this field is blank. This field is available in API version 35.0 and later.

type: keyword
salesforce.setup_audit_trail.display: The full description of changes made in Setup. For example, if the Action field has a value of PermSetCreate, the Display field has a value like “Created permission set MAD: with user license Salesforce.

type: keyword
salesforce.setup_audit_trail.responsible_namespace_prefix: Unknown

type: keyword
salesforce.setup_audit_trail.section: The section in the Setup menu where the action occurred. For example, Manage Users or Company Profile.

type: keyword

Google Santa fields

Santa Module

santa

santa.action: Action

type: keyword

example: EXEC
santa.decision: Decision that santad took.

type: keyword

example: ALLOW
santa.reason: Reason for the decsision.

type: keyword

example: CERT
santa.mode: Operating mode of Santa.

type: keyword

example: M

disk

Fields for DISKAPPEAR actions.

santa.disk.volume: The volume name.
santa.disk.bus: The disk bus protocol.
santa.disk.serial: The disk serial number.
santa.disk.bsdname: The disk BSD name.

example: disk1s3
santa.disk.model: The disk model.

example: APPLE SSD SM0512L
santa.disk.fs: The disk volume kind (filesystem type).

example: apfs
santa.disk.mount: The disk volume path.
santa.certificate.common_name: Common name from code signing certificate.

type: keyword
santa.certificate.sha256: SHA256 hash of code signing certificate.

type: keyword

Snort/Sourcefire fields

snort fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

Snyk fields

Snyk module

snyk

Module for parsing Snyk project vulnerabilities.

snyk.projects: Array with all related projects objects.

type: flattened
snyk.related.projects: Array of all the related project ID’s.

type: keyword

audit

Module for parsing Snyk audit logs.

snyk.audit.org_id: ID of the related Organization related to the event.

type: keyword
snyk.audit.project_id: ID of the project related to the event.

type: keyword
snyk.audit.content: Overview of the content that was changed, both old and new values.

type: flattened

vulnerabilities

Module for parsing Snyk project vulnerabilities.

snyk.vulnerabilities.cvss3: CSSv3 scores.

type: keyword
snyk.vulnerabilities.disclosure_time: The time this vulnerability was originally disclosed to the package maintainers.

type: date
snyk.vulnerabilities.exploit_maturity: The Snyk exploit maturity level.

type: keyword
snyk.vulnerabilities.id: The vulnerability reference ID.

type: keyword
snyk.vulnerabilities.is_ignored: If the vulnerability report has been ignored.

type: boolean
snyk.vulnerabilities.is_patchable: If vulnerability is fixable by using a Snyk supplied patch.

type: boolean
snyk.vulnerabilities.is_patched: If the vulnerability has been patched.

type: boolean
snyk.vulnerabilities.is_pinnable: If the vulnerability is fixable by pinning a transitive dependency.

type: boolean
snyk.vulnerabilities.is_upgradable: If the vulnerability fixable by upgrading a dependency.

type: boolean
snyk.vulnerabilities.language: The package’s programming language.

type: keyword
snyk.vulnerabilities.package: The package identifier according to its package manager.

type: keyword
snyk.vulnerabilities.package_manager: The package manager.

type: keyword
snyk.vulnerabilities.patches: Patches required to resolve the issue created by Snyk.

type: flattened
snyk.vulnerabilities.priority_score: The CVS priority score.

type: long
snyk.vulnerabilities.publication_time: The vulnerability publication time.

type: date
snyk.vulnerabilities.jira_issue_url: Link to the related Jira issue.

type: keyword
snyk.vulnerabilities.original_severity: The original severity of the vulnerability.

type: long
snyk.vulnerabilities.reachability: If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable.

type: keyword
snyk.vulnerabilities.title: The issue title.

type: keyword
snyk.vulnerabilities.type: The issue type. Can be either "license" or "vulnerability".

type: keyword
snyk.vulnerabilities.unique_severities_list: A list of related unique severities.

type: keyword
snyk.vulnerabilities.version: The package version this issue is applicable to.

type: keyword
snyk.vulnerabilities.introduced_date: The date the vulnerability was initially found.

type: date
snyk.vulnerabilities.is_fixed: If the related vulnerability has been resolved.

type: boolean
snyk.vulnerabilities.credit: Reference to the person that original found the vulnerability.

type: keyword
snyk.vulnerabilities.semver: One or more semver ranges this issue is applicable to. The format varies according to package manager.

type: flattened
snyk.vulnerabilities.identifiers.alternative: Additional vulnerability identifiers.

type: keyword
snyk.vulnerabilities.identifiers.cwe: CWE vulnerability identifiers.

type: keyword

Sonicwall-FW fields

sonicwall fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

sophos fields

sophos Module

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

sophos.xg

Module for parsing sophosxg syslog.

sophos.xg.action: Event Action

type: keyword
sophos.xg.activityname: Web policy activity that matched and caused the policy result.

type: keyword
sophos.xg.ap: Access Point Serial ID or LocalWifi0 or LocalWifi1.

type: keyword
sophos.xg.app_category: Name of the category under which application falls

type: keyword
sophos.xg.app_filter_policy_id: Application filter policy ID applied on the traffic

type: keyword
sophos.xg.app_is_cloud: Application is Cloud

type: keyword
sophos.xg.app_name: Application name

type: keyword
sophos.xg.app_resolved_by: Application is resolved by signature or synchronized application

type: keyword
sophos.xg.app_risk: Risk level assigned to the application

type: keyword
sophos.xg.app_technology: Technology of the application

type: keyword
sophos.xg.appfilter_policy_id: Application Filter policy applied on the traffic

type: integer
sophos.xg.application: Application name

type: keyword
sophos.xg.application_category: Application is resolved by signature or synchronized application

type: keyword
sophos.xg.application_filter_policy: Application Filter policy applied on the traffic

type: integer
sophos.xg.application_name: Application name

type: keyword
sophos.xg.application_risk: Risk level assigned to the application

type: keyword
sophos.xg.application_technology: Technology of the application

type: keyword
sophos.xg.appresolvedby: Technology of the application

type: keyword
sophos.xg.auth_client: Auth Client

type: keyword
sophos.xg.auth_mechanism: Auth mechanism

type: keyword
sophos.xg.av_policy_name: Malware scanning policy name which is applied on the traffic

type: keyword
sophos.xg.backup_mode: Backup mode

type: keyword
sophos.xg.branch_name: Branch Name

type: keyword
sophos.xg.category: IPS signature category.

type: keyword
sophos.xg.category_type: Type of category under which website falls

type: keyword
sophos.xg.classification: Signature classification

type: keyword
sophos.xg.client_host_name: Client host name

type: keyword
sophos.xg.client_physical_address: Client physical address

type: keyword
sophos.xg.clients_conn_ssid: Number of client connected to the SSID.

type: long
sophos.xg.collisions: collisions

type: long
sophos.xg.con_event: Event Start/Stop

type: keyword
sophos.xg.con_id: Unique identifier of connection

type: integer
sophos.xg.configuration: Configuration

type: float
sophos.xg.conn_id: Unique identifier of connection

type: integer
sophos.xg.connectionname: Connectionname

type: keyword
sophos.xg.connectiontype: Connectiontype

type: keyword
sophos.xg.connevent: Event on which this log is generated

type: keyword
sophos.xg.connid: Connection ID

type: keyword
sophos.xg.content_type: Type of the content

type: keyword
sophos.xg.contenttype: Type of the content

type: keyword
sophos.xg.context_match: Context Match

type: keyword
sophos.xg.context_prefix: Content Prefix

type: keyword
sophos.xg.context_suffix: Context Suffix

type: keyword
sophos.xg.cookie: cookie

type: keyword
sophos.xg.date: Date (yyyy-mm-dd) when the event occurred

type: date
sophos.xg.destinationip: Original destination IP address of traffic

type: ip
sophos.xg.device: device

type: keyword
sophos.xg.device_id: Serial number of the device

type: keyword
sophos.xg.device_model: Model number of the device

type: keyword
sophos.xg.device_name: Model number of the device

type: keyword
sophos.xg.dictionary_name: Dictionary Name

type: keyword
sophos.xg.dir_disp: TPacket direction. Possible values:“org”, “reply”, “”

type: keyword
sophos.xg.direction: Direction

type: keyword
sophos.xg.domainname: Domain from which virus was downloaded

type: keyword
sophos.xg.download_file_name: Download file name

type: keyword
sophos.xg.download_file_type: Download file type

type: keyword
sophos.xg.dst_country_code: Code of the country to which the destination IP belongs

type: keyword
sophos.xg.dst_domainname: Receiver domain name

type: keyword
sophos.xg.dst_ip: Original destination IP address of traffic

type: ip
sophos.xg.dst_port: Original destination port of TCP and UDP traffic

type: integer
sophos.xg.dst_zone_type: Type of destination zone

type: keyword
sophos.xg.dstdomain: Destination Domain

type: keyword
sophos.xg.duration: Durability of traffic (seconds)

type: long
sophos.xg.email_subject: Email Subject

type: keyword
sophos.xg.ep_uuid: Endpoint UUID

type: keyword
sophos.xg.ether_type: ethernet frame type

type: keyword
sophos.xg.eventid: ATP Evenet ID

type: keyword
sophos.xg.eventtime: Event time

type: date
sophos.xg.eventtype: ATP event type

type: keyword
sophos.xg.exceptions: List of the checks excluded by web exceptions.

type: keyword
sophos.xg.execution_path: ATP execution path

type: keyword
sophos.xg.extra: extra

type: keyword
sophos.xg.file_name: Filename

type: keyword
sophos.xg.file_path: File path

type: keyword
sophos.xg.file_size: File Size

type: integer
sophos.xg.filename: File name associated with the event

type: keyword
sophos.xg.filepath: Path of the file containing virus

type: keyword
sophos.xg.filesize: Size of the file that contained virus

type: integer
sophos.xg.free: free

type: integer
sophos.xg.from_email_address: Sender email address

type: keyword
sophos.xg.ftp_direction: Direction of FTP transfer: Upload or Download

type: keyword
sophos.xg.ftp_url: FTP URL from which virus was downloaded

type: keyword
sophos.xg.ftpcommand: FTP command used when virus was found

type: keyword
sophos.xg.fw_rule_id: Firewall Rule ID which is applied on the traffic

type: integer
sophos.xg.fw_rule_type: Firewall rule type which is applied on the traffic

type: keyword
sophos.xg.hb_health: Heartbeat status

type: keyword
sophos.xg.hb_status: Heartbeat status

type: keyword
sophos.xg.host: Host

type: keyword
sophos.xg.http_category: HTTP Category

type: keyword
sophos.xg.http_category_type: HTTP Category Type

type: keyword
sophos.xg.httpresponsecode: code of HTTP response

type: long
sophos.xg.iap: Internet Access policy ID applied on the traffic

type: keyword
sophos.xg.icmp_code: ICMP code of ICMP traffic

type: keyword
sophos.xg.icmp_type: ICMP type of ICMP traffic

type: keyword
sophos.xg.idle_cpu: idle ##

type: float
sophos.xg.idp_policy_id: IPS policy ID which is applied on the traffic

type: integer
sophos.xg.idp_policy_name: IPS policy name i.e. IPS policy name which is applied on the traffic

type: keyword
sophos.xg.in_interface: Interface for incoming traffic, e.g., Port A

type: keyword
sophos.xg.interface: interface

type: keyword
sophos.xg.ipaddress: Ipaddress

type: keyword
sophos.xg.ips_policy_id: IPS policy ID applied on the traffic

type: integer
sophos.xg.lease_time: Lease Time

type: keyword
sophos.xg.localgateway: Localgateway

type: keyword
sophos.xg.localnetwork: Localnetwork

type: keyword
sophos.xg.log_component: Component responsible for logging e.g. Firewall rule

type: keyword
sophos.xg.log_id: Unique 12 characters code (0101011)

type: keyword
sophos.xg.log_subtype: Sub type of event

type: keyword
sophos.xg.log_type: Type of event e.g. firewall event

type: keyword
sophos.xg.log_version: Log Version

type: keyword
sophos.xg.login_user: ATP login user

type: keyword
sophos.xg.mailid: mailid

type: keyword
sophos.xg.mailsize: mailsize

type: integer
sophos.xg.message: Message

type: keyword
sophos.xg.mode: Mode

type: keyword
sophos.xg.nat_rule_id: NAT Rule ID

type: keyword
sophos.xg.newversion: Newversion

type: keyword
sophos.xg.oldversion: Oldversion

type: keyword
sophos.xg.out_interface: Interface for outgoing traffic, e.g., Port B

type: keyword
sophos.xg.override_authorizer: Override authorizer

type: keyword
sophos.xg.override_name: Override name

type: keyword
sophos.xg.override_token: Override token

type: keyword
sophos.xg.phpsessid: PHP session ID

type: keyword
sophos.xg.platform: Platform of the traffic.

type: keyword
sophos.xg.policy_type: Policy type applied to the traffic

type: keyword
sophos.xg.priority: Severity level of traffic

type: keyword
sophos.xg.protocol: Protocol number of traffic

type: keyword
sophos.xg.qualifier: Qualifier

type: keyword
sophos.xg.quarantine: Path and filename of the file quarantined

type: keyword
sophos.xg.quarantine_reason: Quarantine reason

type: keyword
sophos.xg.querystring: querystring

type: keyword
sophos.xg.raw_data: Raw data

type: keyword
sophos.xg.received_pkts: Total number of packets received

type: long
sophos.xg.receiveddrops: received drops

type: long
sophos.xg.receivederrors: received errors

type: keyword
sophos.xg.receivedkbits: received kbits

type: long
sophos.xg.recv_bytes: Total number of bytes received

type: long
sophos.xg.red_id: RED ID

type: keyword
sophos.xg.referer: Referer

type: keyword
sophos.xg.remote_ip: Remote IP

type: ip
sophos.xg.remotenetwork: remotenetwork

type: keyword
sophos.xg.reported_host: Reported Host

type: keyword
sophos.xg.reported_ip: Reported IP

type: keyword
sophos.xg.reports: Reports

type: float
sophos.xg.rule_priority: Priority of IPS policy

type: keyword
sophos.xg.sent_bytes: Total number of bytes sent

type: long
sophos.xg.sent_pkts: Total number of packets sent

type: long
sophos.xg.server: Server

type: keyword
sophos.xg.sessionid: Sessionid

type: keyword
sophos.xg.sha1sum: SHA1 checksum of the item being analyzed

type: keyword
sophos.xg.signature: Signature

type: float
sophos.xg.signature_id: Signature ID

type: keyword
sophos.xg.signature_msg: Signature messsage

type: keyword
sophos.xg.site_category: Site Category

type: keyword
sophos.xg.source: Source

type: keyword
sophos.xg.sourceip: Original source IP address of traffic

type: ip
sophos.xg.spamaction: Spam Action

type: keyword
sophos.xg.sqli: related SQLI caught by the WAF

type: keyword
sophos.xg.src_country_code: Code of the country to which the source IP belongs

type: keyword
sophos.xg.src_domainname: Sender domain name

type: keyword
sophos.xg.src_ip: Original source IP address of traffic

type: ip
sophos.xg.src_mac: Original source MAC address of traffic

type: keyword
sophos.xg.src_port: Original source port of TCP and UDP traffic

type: integer
sophos.xg.src_zone_type: Type of source zone

type: keyword
sophos.xg.ssid: Configured SSID name.

type: keyword
sophos.xg.start_time: Start time

type: date
sophos.xg.starttime: Starttime

type: date
sophos.xg.status: Ultimate status of traffic – Allowed or Denied

type: keyword
sophos.xg.status_code: Status code

type: keyword
sophos.xg.subject: Email subject

type: keyword
sophos.xg.syslog_server_name: Syslog server name.

type: keyword
sophos.xg.system_cpu: system

type: float
sophos.xg.target: Platform of the traffic.

type: keyword
sophos.xg.temp: Temp

type: float
sophos.xg.threatname: ATP threatname

type: keyword
sophos.xg.timestamp: timestamp

type: date
sophos.xg.timezone: Time (hh:mm:ss) when the event occurred

type: keyword
sophos.xg.to_email_address: Receipeint email address

type: keyword
sophos.xg.total_memory: Total Memory

type: integer
sophos.xg.trans_dst_ip: Translated destination IP address for outgoing traffic

type: ip
sophos.xg.trans_dst_port: Translated destination port for outgoing traffic

type: integer
sophos.xg.trans_src_ip: Translated source IP address for outgoing traffic

type: ip
sophos.xg.trans_src_port: Translated source port for outgoing traffic

type: integer
sophos.xg.transaction_id: Transaction ID

type: keyword
sophos.xg.transactionid: Transaction ID of the AV scan.

type: keyword
sophos.xg.transmitteddrops: transmitted drops

type: long
sophos.xg.transmittederrors: transmitted errors

type: keyword
sophos.xg.transmittedkbits: transmitted kbits

type: long
sophos.xg.unit: unit

type: keyword
sophos.xg.updatedip: updatedip

type: ip
sophos.xg.upload_file_name: Upload file name

type: keyword
sophos.xg.upload_file_type: Upload file type

type: keyword
sophos.xg.url: URL from which virus was downloaded

type: keyword
sophos.xg.used: used

type: integer
sophos.xg.used_quota: Used Quota

type: keyword
sophos.xg.user: User

type: keyword
sophos.xg.user_cpu: system

type: float
sophos.xg.user_gp: Group name to which the user belongs.

type: keyword
sophos.xg.user_group: Group name to which the user belongs

type: keyword
sophos.xg.user_name: user_name

type: keyword
sophos.xg.users: Number of users from System Health / Live User events.

type: long
sophos.xg.vconn_id: Connection ID of the master connection

type: integer
sophos.xg.virus: virus name

type: keyword
sophos.xg.web_policy_id: Web policy ID

type: keyword
sophos.xg.website: Website

type: keyword
sophos.xg.xss: related XSS caught by the WAF

type: keyword

Squid fields

squid fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

Suricata fields

Module for handling the EVE JSON logs produced by Suricata.

suricata

Fields from the Suricata EVE log file.

eve

Fields exported by the EVE JSON logs

suricata.eve.event_type: type: keyword
suricata.eve.app_proto_orig: type: keyword
suricata.eve.tcp.tcp_flags: type: keyword
suricata.eve.tcp.psh: type: boolean
suricata.eve.tcp.tcp_flags_tc: type: keyword
suricata.eve.tcp.ack: type: boolean
suricata.eve.tcp.syn: type: boolean
suricata.eve.tcp.state: type: keyword
suricata.eve.tcp.tcp_flags_ts: type: keyword
suricata.eve.tcp.rst: type: boolean
suricata.eve.tcp.fin: type: boolean
suricata.eve.fileinfo.sha1: type: keyword
suricata.eve.fileinfo.tx_id: type: long
suricata.eve.fileinfo.state: type: keyword
suricata.eve.fileinfo.stored: type: boolean
suricata.eve.fileinfo.gaps: type: boolean
suricata.eve.fileinfo.sha256: type: keyword
suricata.eve.fileinfo.md5: type: keyword
suricata.eve.icmp_type: type: long
suricata.eve.pcap_cnt: type: long
suricata.eve.dns.type: type: keyword
suricata.eve.dns.rrtype: type: keyword
suricata.eve.dns.rrname: type: keyword
suricata.eve.dns.rdata: type: keyword
suricata.eve.dns.tx_id: type: long
suricata.eve.dns.ttl: type: long
suricata.eve.dns.rcode: type: keyword
suricata.eve.dns.id: type: long
suricata.eve.flow_id: type: keyword
suricata.eve.email.status: type: keyword
suricata.eve.icmp_code: type: long
suricata.eve.http.redirect: type: keyword
suricata.eve.http.protocol: type: keyword
suricata.eve.http.http_content_type: type: keyword
suricata.eve.in_iface: type: keyword
suricata.eve.alert.metadata: Metadata about the alert.

type: flattened
suricata.eve.alert.category: type: keyword
suricata.eve.alert.rev: type: long
suricata.eve.alert.gid: type: long
suricata.eve.alert.signature: type: keyword
suricata.eve.alert.signature_id: type: long
suricata.eve.alert.protocols: type: keyword
suricata.eve.alert.attack_target: type: keyword
suricata.eve.alert.capec_id: type: keyword
suricata.eve.alert.cwe_id: type: keyword
suricata.eve.alert.malware: type: keyword
suricata.eve.alert.cve: type: keyword
suricata.eve.alert.cvss_v2_base: type: keyword
suricata.eve.alert.cvss_v2_temporal: type: keyword
suricata.eve.alert.cvss_v3_base: type: keyword
suricata.eve.alert.cvss_v3_temporal: type: keyword
suricata.eve.alert.priority: type: keyword
suricata.eve.alert.hostile: type: keyword
suricata.eve.alert.infected: type: keyword
suricata.eve.alert.created_at: type: date
suricata.eve.alert.updated_at: type: date
suricata.eve.alert.classtype: type: keyword
suricata.eve.alert.rule_source: type: keyword
suricata.eve.alert.sid: type: keyword
suricata.eve.alert.affected_product: type: keyword
suricata.eve.alert.deployment: type: keyword
suricata.eve.alert.former_category: type: keyword
suricata.eve.alert.mitre_tool_id: type: keyword
suricata.eve.alert.performance_impact: type: keyword
suricata.eve.alert.signature_severity: type: keyword
suricata.eve.alert.tag: type: keyword
suricata.eve.ssh.client.proto_version: type: keyword
suricata.eve.ssh.client.software_version: type: keyword
suricata.eve.ssh.server.proto_version: type: keyword
suricata.eve.ssh.server.software_version: type: keyword
suricata.eve.stats.capture.kernel_packets: type: long
suricata.eve.stats.capture.kernel_drops: type: long
suricata.eve.stats.capture.kernel_ifdrops: type: long
suricata.eve.stats.uptime: type: long
suricata.eve.stats.detect.alert: type: long
suricata.eve.stats.http.memcap: type: long
suricata.eve.stats.http.memuse: type: long
suricata.eve.stats.file_store.open_files: type: long
suricata.eve.stats.defrag.max_frag_hits: type: long
suricata.eve.stats.defrag.ipv4.timeouts: type: long
suricata.eve.stats.defrag.ipv4.fragments: type: long
suricata.eve.stats.defrag.ipv4.reassembled: type: long
suricata.eve.stats.defrag.ipv6.timeouts: type: long
suricata.eve.stats.defrag.ipv6.fragments: type: long
suricata.eve.stats.defrag.ipv6.reassembled: type: long
suricata.eve.stats.flow.tcp_reuse: type: long
suricata.eve.stats.flow.udp: type: long
suricata.eve.stats.flow.memcap: type: long
suricata.eve.stats.flow.emerg_mode_entered: type: long
suricata.eve.stats.flow.emerg_mode_over: type: long
suricata.eve.stats.flow.tcp: type: long
suricata.eve.stats.flow.icmpv6: type: long
suricata.eve.stats.flow.icmpv4: type: long
suricata.eve.stats.flow.spare: type: long
suricata.eve.stats.flow.memuse: type: long
suricata.eve.stats.tcp.pseudo_failed: type: long
suricata.eve.stats.tcp.ssn_memcap_drop: type: long
suricata.eve.stats.tcp.insert_data_overlap_fail: type: long
suricata.eve.stats.tcp.sessions: type: long
suricata.eve.stats.tcp.pseudo: type: long
suricata.eve.stats.tcp.synack: type: long
suricata.eve.stats.tcp.insert_data_normal_fail: type: long
suricata.eve.stats.tcp.syn: type: long
suricata.eve.stats.tcp.memuse: type: long
suricata.eve.stats.tcp.invalid_checksum: type: long
suricata.eve.stats.tcp.segment_memcap_drop: type: long
suricata.eve.stats.tcp.overlap: type: long
suricata.eve.stats.tcp.insert_list_fail: type: long
suricata.eve.stats.tcp.rst: type: long
suricata.eve.stats.tcp.stream_depth_reached: type: long
suricata.eve.stats.tcp.reassembly_memuse: type: long
suricata.eve.stats.tcp.reassembly_gap: type: long
suricata.eve.stats.tcp.overlap_diff_data: type: long
suricata.eve.stats.tcp.no_flow: type: long
suricata.eve.stats.decoder.avg_pkt_size: type: long
suricata.eve.stats.decoder.bytes: type: long
suricata.eve.stats.decoder.tcp: type: long
suricata.eve.stats.decoder.raw: type: long
suricata.eve.stats.decoder.ppp: type: long
suricata.eve.stats.decoder.vlan_qinq: type: long
suricata.eve.stats.decoder.null: type: long
suricata.eve.stats.decoder.ltnull.unsupported_type: type: long
suricata.eve.stats.decoder.ltnull.pkt_too_small: type: long
suricata.eve.stats.decoder.invalid: type: long
suricata.eve.stats.decoder.gre: type: long
suricata.eve.stats.decoder.ipv4: type: long
suricata.eve.stats.decoder.ipv6: type: long
suricata.eve.stats.decoder.pkts: type: long
suricata.eve.stats.decoder.ipv6_in_ipv6: type: long
suricata.eve.stats.decoder.ipraw.invalid_ip_version: type: long
suricata.eve.stats.decoder.pppoe: type: long
suricata.eve.stats.decoder.udp: type: long
suricata.eve.stats.decoder.dce.pkt_too_small: type: long
suricata.eve.stats.decoder.vlan: type: long
suricata.eve.stats.decoder.sctp: type: long
suricata.eve.stats.decoder.max_pkt_size: type: long
suricata.eve.stats.decoder.teredo: type: long
suricata.eve.stats.decoder.mpls: type: long
suricata.eve.stats.decoder.sll: type: long
suricata.eve.stats.decoder.icmpv6: type: long
suricata.eve.stats.decoder.icmpv4: type: long
suricata.eve.stats.decoder.erspan: type: long
suricata.eve.stats.decoder.ethernet: type: long
suricata.eve.stats.decoder.ipv4_in_ipv6: type: long
suricata.eve.stats.decoder.ieee8021ah: type: long
suricata.eve.stats.dns.memcap_global: type: long
suricata.eve.stats.dns.memcap_state: type: long
suricata.eve.stats.dns.memuse: type: long
suricata.eve.stats.flow_mgr.rows_busy: type: long
suricata.eve.stats.flow_mgr.flows_timeout: type: long
suricata.eve.stats.flow_mgr.flows_notimeout: type: long
suricata.eve.stats.flow_mgr.rows_skipped: type: long
suricata.eve.stats.flow_mgr.closed_pruned: type: long
suricata.eve.stats.flow_mgr.new_pruned: type: long
suricata.eve.stats.flow_mgr.flows_removed: type: long
suricata.eve.stats.flow_mgr.bypassed_pruned: type: long
suricata.eve.stats.flow_mgr.est_pruned: type: long
suricata.eve.stats.flow_mgr.flows_timeout_inuse: type: long
suricata.eve.stats.flow_mgr.flows_checked: type: long
suricata.eve.stats.flow_mgr.rows_maxlen: type: long
suricata.eve.stats.flow_mgr.rows_checked: type: long
suricata.eve.stats.flow_mgr.rows_empty: type: long
suricata.eve.stats.app_layer.flow.tls: type: long
suricata.eve.stats.app_layer.flow.ftp: type: long
suricata.eve.stats.app_layer.flow.http: type: long
suricata.eve.stats.app_layer.flow.failed_udp: type: long
suricata.eve.stats.app_layer.flow.dns_udp: type: long
suricata.eve.stats.app_layer.flow.dns_tcp: type: long
suricata.eve.stats.app_layer.flow.smtp: type: long
suricata.eve.stats.app_layer.flow.failed_tcp: type: long
suricata.eve.stats.app_layer.flow.msn: type: long
suricata.eve.stats.app_layer.flow.ssh: type: long
suricata.eve.stats.app_layer.flow.imap: type: long
suricata.eve.stats.app_layer.flow.dcerpc_udp: type: long
suricata.eve.stats.app_layer.flow.dcerpc_tcp: type: long
suricata.eve.stats.app_layer.flow.smb: type: long
suricata.eve.stats.app_layer.tx.tls: type: long
suricata.eve.stats.app_layer.tx.ftp: type: long
suricata.eve.stats.app_layer.tx.http: type: long
suricata.eve.stats.app_layer.tx.dns_udp: type: long
suricata.eve.stats.app_layer.tx.dns_tcp: type: long
suricata.eve.stats.app_layer.tx.smtp: type: long
suricata.eve.stats.app_layer.tx.ssh: type: long
suricata.eve.stats.app_layer.tx.dcerpc_udp: type: long
suricata.eve.stats.app_layer.tx.dcerpc_tcp: type: long
suricata.eve.stats.app_layer.tx.smb: type: long
suricata.eve.tls.notbefore: type: date
suricata.eve.tls.issuerdn: type: keyword
suricata.eve.tls.sni: type: keyword
suricata.eve.tls.version: type: keyword
suricata.eve.tls.session_resumed: type: boolean
suricata.eve.tls.fingerprint: type: keyword
suricata.eve.tls.serial: type: keyword
suricata.eve.tls.notafter: type: date
suricata.eve.tls.subject: type: keyword
suricata.eve.tls.ja3s.string: type: keyword
suricata.eve.tls.ja3s.hash: type: keyword
suricata.eve.tls.ja3.string: type: keyword
suricata.eve.tls.ja3.hash: type: keyword
suricata.eve.app_proto_ts: type: keyword
suricata.eve.flow.age: type: long
suricata.eve.flow.state: type: keyword
suricata.eve.flow.reason: type: keyword
suricata.eve.flow.alerted: type: boolean
suricata.eve.tx_id: type: long
suricata.eve.app_proto_tc: type: keyword
suricata.eve.smtp.rcpt_to: type: keyword
suricata.eve.smtp.mail_from: type: keyword
suricata.eve.smtp.helo: type: keyword
suricata.eve.app_proto_expected: type: keyword

System fields

Module for parsing system log files.

system

Fields from the system log files.

auth

Fields from the Linux authorization logs.

system.auth.timestamp: type: alias

alias to: @timestamp
system.auth.hostname: type: alias

alias to: host.hostname
system.auth.program: type: alias

alias to: process.name
system.auth.pid: type: alias

alias to: process.pid
system.auth.message: type: alias

alias to: message
system.auth.user: type: alias

alias to: user.name
system.auth.ssh.method: The SSH authentication method. Can be one of "password" or "publickey".
system.auth.ssh.signature: The signature of the client public key.
system.auth.ssh.dropped_ip: The client IP from SSH connections that are open and immediately dropped.

type: ip
system.auth.ssh.event: The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)

example: Accepted
system.auth.ssh.ip: type: alias

alias to: source.ip
system.auth.ssh.port: type: alias

alias to: source.port
system.auth.ssh.geoip.continent_name: type: alias

alias to: source.geo.continent_name
system.auth.ssh.geoip.country_iso_code: type: alias

alias to: source.geo.country_iso_code
system.auth.ssh.geoip.location: type: alias

alias to: source.geo.location
system.auth.ssh.geoip.region_name: type: alias

alias to: source.geo.region_name
system.auth.ssh.geoip.city_name: type: alias

alias to: source.geo.city_name
system.auth.ssh.geoip.region_iso_code: type: alias

alias to: source.geo.region_iso_code

sudo

Fields specific to events created by the sudo command.

system.auth.sudo.error: The error message in case the sudo command failed.

example: user NOT in sudoers
system.auth.sudo.tty: The TTY where the sudo command is executed.
system.auth.sudo.pwd: The current directory where the sudo command is executed.
system.auth.sudo.user: The target user to which the sudo command is switching.

example: root
system.auth.sudo.command: The command executed via sudo.

useradd

Fields specific to events created by the useradd command.

system.auth.useradd.home: The home folder for the new user.
system.auth.useradd.shell: The default shell for the new user.
system.auth.useradd.name: type: alias

alias to: user.name
system.auth.useradd.uid: type: alias

alias to: user.id
system.auth.useradd.gid: type: alias

alias to: group.id

groupadd

Fields specific to events created by the groupadd command.

system.auth.groupadd.name: type: alias

alias to: group.name
system.auth.groupadd.gid: type: alias

alias to: group.id

syslog

Contains fields from the syslog system logs.

system.syslog.timestamp: type: alias

alias to: @timestamp
system.syslog.hostname: type: alias

alias to: host.hostname
system.syslog.program: type: alias

alias to: process.name
system.syslog.pid: type: alias

alias to: process.pid
system.syslog.message: type: alias

alias to: message

threatintel fields

Threat intelligence Filebeat Module.

threat.indicator.file.hash.tlsh: The file’s import tlsh, if available.

type: keyword
threat.indicator.file.hash.sha384: The file’s sha384 hash, if available.

type: keyword
threat.feed.name: type: keyword
threat.feed.dashboard_id: type: keyword

abusech.malware

Fields for AbuseCH Malware Threat Intel

abusech.malware.file_type: File type guessed by URLhaus.

type: keyword
abusech.malware.signature: Malware familiy.

type: keyword
abusech.malware.urlhaus_download: Location (URL) where you can download a copy of this file.

type: keyword
abusech.malware.virustotal.result: AV detection ration.

type: keyword
abusech.malware.virustotal.percent: AV detection in percent.

type: float
abusech.malware.virustotal.link: Link to the Virustotal report.

type: keyword

abusech.url

Fields for AbuseCH Malware Threat Intel

abusech.url.id: The ID of the url.

type: keyword
abusech.url.urlhaus_reference: Link to URLhaus entry.

type: keyword
abusech.url.url_status: The current status of the URL. Possible values are: online, offline and unknown.

type: keyword
abusech.url.threat: The threat corresponding to this malware URL.

type: keyword
abusech.url.blacklists.surbl: SURBL blacklist status. Possible values are: listed and not_listed

type: keyword
abusech.url.blacklists.spamhaus_dbl: Spamhaus DBL blacklist status.

type: keyword
abusech.url.reporter: The Twitter handle of the reporter that has reported this malware URL (or anonymous).

type: keyword
abusech.url.larted: Indicates whether the malware URL has been reported to the hosting provider (true or false)

type: boolean
abusech.url.tags: A list of tags associated with the queried malware URL

type: keyword

anomali.limo

Fields for Anomali Threat Intel

anomali.limo.id: The ID of the indicator.

type: keyword
anomali.limo.name: The name of the indicator.

type: keyword
anomali.limo.pattern: The pattern ID of the indicator.

type: keyword
anomali.limo.valid_from: When the indicator was first found or is considered valid.

type: date
anomali.limo.modified: When the indicator was last modified

type: date
anomali.limo.labels: The labels related to the indicator

type: keyword
anomali.limo.indicator: The value of the indicator, for example if the type is domain, this would be the value.

type: keyword
anomali.limo.description: A description of the indicator.

type: keyword
anomali.limo.title: Title describing the indicator.

type: keyword
anomali.limo.content: Extra text or descriptive content related to the indicator.

type: keyword
anomali.limo.type: The indicator type, can for example be "domain, email, FileHash-SHA256".

type: keyword
anomali.limo.object_marking_refs: The STIX reference object.

type: keyword

anomali.threatstream

Fields for Anomali ThreatStream

anomali.threatstream.classification: Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public.

type: keyword

example: private
anomali.threatstream.confidence: The measure of the accuracy (from 0 to 100) assigned by ThreatStream’s predictive analytics technology to indicators.

type: short
anomali.threatstream.detail2: Detail text for indicator.

type: text

example: Imported by user 42.
anomali.threatstream.id: The ID of the indicator.

type: keyword
anomali.threatstream.import_session_id: ID of the import session that created the indicator on ThreatStream.

type: keyword
anomali.threatstream.itype: Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url".

type: keyword
anomali.threatstream.maltype: Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator.

type: wildcard
anomali.threatstream.md5: Hash for the indicator.

type: keyword
anomali.threatstream.resource_uri: Relative URI for the indicator details.

type: keyword
anomali.threatstream.severity: Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high.

type: keyword
anomali.threatstream.source: Source for the indicator.

type: keyword

example: Analyst
anomali.threatstream.source_feed_id: ID for the integrator source.

type: keyword
anomali.threatstream.state: State for this indicator.

type: keyword

example: active
anomali.threatstream.trusted_circle_ids: ID of the trusted circle that imported the indicator.

type: keyword
anomali.threatstream.update_id: Update ID.

type: keyword
anomali.threatstream.url: URL for the indicator.

type: keyword
anomali.threatstream.value_type: Data type of the indicator. Possible values: ip, domain, url, email, md5.

type: keyword

abusech.malwarebazaar

Fields for Malware Bazaar Threat Intel

abusech.malwarebazaar.file_type: File type guessed by Malware Bazaar.

type: keyword
abusech.malwarebazaar.signature: Malware familiy.

type: keyword
abusech.malwarebazaar.tags: A list of tags associated with the queried malware sample.

type: keyword
abusech.malwarebazaar.intelligence.downloads: Number of downloads from MalwareBazaar.

type: long
abusech.malwarebazaar.intelligence.uploads: Number of uploads from MalwareBazaar.

type: long
abusech.malwarebazaar.intelligence.mail.Generic: Malware seen in generic spam traffic.

type: keyword
abusech.malwarebazaar.intelligence.mail.IT: Malware seen in IT spam traffic.

type: keyword
abusech.malwarebazaar.anonymous: Identifies if the sample was submitted anonymously.

type: long
abusech.malwarebazaar.code_sign: Code signing information for the sample.

type: nested

misp

Fields for MISP Threat Intel

misp.id: Attribute ID.

type: keyword
misp.orgc_id: Organization Community ID of the event.

type: keyword
misp.org_id: Organization ID of the event.

type: keyword
misp.threat_level_id: Threat level from 5 to 1, where 1 is the most critical.

type: long
misp.info: Additional text or information related to the event.

type: keyword
misp.published: When the event was published.

type: boolean
misp.uuid: The UUID of the event object.

type: keyword
misp.date: The date of when the event object was created.

type: date
misp.attribute_count: How many attributes are included in a single event object.

type: long
misp.timestamp: The timestamp of when the event object was created.

type: date
misp.distribution: Distribution type related to MISP.

type: keyword
misp.proposal_email_lock: Settings configured on MISP for email lock on this event object.

type: boolean
misp.locked: If the current MISP event object is locked or not.

type: boolean
misp.publish_timestamp: At what time the event object was published

type: date
misp.sharing_group_id: The ID of the grouped events or sources of the event.

type: keyword
misp.disable_correlation: If correlation is disabled on the MISP event object.

type: boolean
misp.extends_uuid: The UUID of the event object it might extend.

type: keyword
misp.org.id: The organization ID related to the event object.

type: keyword
misp.org.name: The organization name related to the event object.

type: keyword
misp.org.uuid: The UUID of the organization related to the event object.

type: keyword
misp.org.local: If the event object is local or from a remote source.

type: boolean
misp.orgc.id: The Organization Community ID in which the event object was reported from.

type: keyword
misp.orgc.name: The Organization Community name in which the event object was reported from.

type: keyword
misp.orgc.uuid: The Organization Community UUID in which the event object was reported from.

type: keyword
misp.orgc.local: If the Organization Community was local or synced from a remote source.

type: boolean
misp.attribute.id: The ID of the attribute related to the event object.

type: keyword
misp.attribute.type: The type of the attribute related to the event object. For example email, ipv4, sha1 and such.

type: keyword
misp.attribute.category: The category of the attribute related to the event object. For example "Network Activity".

type: keyword
misp.attribute.to_ids: If the attribute should be automatically synced with an IDS.

type: boolean
misp.attribute.uuid: The UUID of the attribute related to the event.

type: keyword
misp.attribute.event_id: The local event ID of the attribute related to the event.

type: keyword
misp.attribute.distribution: How the attribute has been distributed, represented by integer numbers.

type: long
misp.attribute.timestamp: The timestamp in which the attribute was attached to the event object.

type: date
misp.attribute.comment: Comments made to the attribute itself.

type: keyword
misp.attribute.sharing_group_id: The group ID of the sharing group related to the specific attribute.

type: keyword
misp.attribute.deleted: If the attribute has been removed from the event object.

type: boolean
misp.attribute.disable_correlation: If correlation has been enabled on the attribute related to the event object.

type: boolean
misp.attribute.object_id: The ID of the Object in which the attribute is attached.

type: keyword
misp.attribute.object_relation: The type of relation the attribute has with the event object itself.

type: keyword
misp.attribute.value: The value of the attribute, depending on the type like "url, sha1, email-src".

type: keyword
misp.context.attribute.id: The ID of the secondary attribute related to the event object.

type: keyword
misp.context.attribute.type: The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such.

type: keyword
misp.context.attribute.category: The category of the secondary attribute related to the event object. For example "Network Activity".

type: keyword
misp.context.attribute.to_ids: If the secondary attribute should be automatically synced with an IDS.

type: boolean
misp.context.attribute.uuid: The UUID of the secondary attribute related to the event.

type: keyword
misp.context.attribute.event_id: The local event ID of the secondary attribute related to the event.

type: keyword
misp.context.attribute.distribution: How the secondary attribute has been distributed, represented by integer numbers.

type: long
misp.context.attribute.timestamp: The timestamp in which the secondary attribute was attached to the event object.

type: date
misp.context.attribute.comment: Comments made to the secondary attribute itself.

type: keyword
misp.context.attribute.sharing_group_id: The group ID of the sharing group related to the specific secondary attribute.

type: keyword
misp.context.attribute.deleted: If the secondary attribute has been removed from the event object.

type: boolean
misp.context.attribute.disable_correlation: If correlation has been enabled on the secondary attribute related to the event object.

type: boolean
misp.context.attribute.object_id: The ID of the Object in which the secondary attribute is attached.

type: keyword
misp.context.attribute.object_relation: The type of relation the secondary attribute has with the event object itself.

type: keyword
misp.context.attribute.value: The value of the attribute, depending on the type like "url, sha1, email-src".

type: keyword

otx

Fields for OTX Threat Intel

otx.id: The ID of the indicator.

type: keyword
otx.indicator: The value of the indicator, for example if the type is domain, this would be the value.

type: keyword
otx.description: A description of the indicator.

type: keyword
otx.title: Title describing the indicator.

type: keyword
otx.content: Extra text or descriptive content related to the indicator.

type: keyword
otx.type: The indicator type, can for example be "domain, email, FileHash-SHA256".

type: keyword

threatq

Fields for ThreatQ Threat Library

threatq.updated_at: Last modification time

type: date
threatq.created_at: Object creation time

type: date
threatq.expires_at: Expiration time

type: date
threatq.expires_calculated_at: Expiration calculation time

type: date
threatq.published_at: Object publication time

type: date
threatq.status: Object status within the Threat Library

type: keyword
threatq.indicator_value: Original indicator value

type: keyword
threatq.adversaries: Adversaries that are linked to the object

type: keyword
threatq.attributes: These provide additional context about an object

type: flattened

Apache Tomcat fields

tomcat fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

Traefik fields

Module for parsing the Traefik log files.

traefik

Fields from the Traefik log files.

access

Contains fields for the Traefik access logs.

traefik.access.user_identifier: Is the RFC 1413 identity of the client

type: keyword
traefik.access.request_count: The number of requests

type: long
traefik.access.frontend_name: The name of the frontend used

type: keyword
traefik.access.backend_url: The url of the backend where request is forwarded

type: keyword
traefik.access.body_sent.bytes: type: alias

alias to: http.response.body.bytes
traefik.access.remote_ip: type: alias

alias to: source.address
traefik.access.user_name: type: alias

alias to: user.name
traefik.access.method: type: alias

alias to: http.request.method
traefik.access.url: type: alias

alias to: url.original
traefik.access.http_version: type: alias

alias to: http.version
traefik.access.response_code: type: alias

alias to: http.response.status_code
traefik.access.referrer: type: alias

alias to: http.request.referrer
traefik.access.agent: type: alias

alias to: user_agent.original
traefik.access.user_agent.name: type: alias

alias to: user_agent.name
traefik.access.user_agent.os: type: alias

alias to: user_agent.os.full_name
traefik.access.user_agent.os_name: type: alias

alias to: user_agent.os.name
traefik.access.user_agent.original: type: alias

alias to: user_agent.original
traefik.access.geoip.continent_name: type: alias

alias to: source.geo.continent_name
traefik.access.geoip.country_iso_code: type: alias

alias to: source.geo.country_iso_code
traefik.access.geoip.location: type: alias

alias to: source.geo.location
traefik.access.geoip.region_name: type: alias

alias to: source.geo.region_name
traefik.access.geoip.city_name: type: alias

alias to: source.geo.city_name
traefik.access.geoip.region_iso_code: type: alias

alias to: source.geo.region_iso_code

Zeek fields

Module for handling logs produced by Zeek/Bro

zeek

Fields from Zeek/Bro logs after normalization

zeek.session_id: A unique identifier of the session

type: keyword

capture_loss

Fields exported by the Zeek capture_loss log

zeek.capture_loss.ts_delta: The time delay between this measurement and the last.

type: integer
zeek.capture_loss.peer: In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name.

type: keyword
zeek.capture_loss.gaps: Number of missed ACKs from the previous measurement interval.

type: integer
zeek.capture_loss.acks: Total number of ACKs seen in the previous measurement interval.

type: integer
zeek.capture_loss.percent_lost: Percentage of ACKs seen where the data being ACKed wasn’t seen.

type: double

connection

Fields exported by the Zeek Connection log

zeek.connection.local_orig: Indicates whether the session is originated locally.

type: boolean
zeek.connection.local_resp: Indicates whether the session is responded locally.

type: boolean
zeek.connection.missed_bytes: Missed bytes for the session.

type: long
zeek.connection.state: Code indicating the state of the session.

type: keyword
zeek.connection.state_message: The state of the session.

type: keyword
zeek.connection.icmp.type: ICMP message type.

type: integer
zeek.connection.icmp.code: ICMP message code.

type: integer
zeek.connection.history: Flags indicating the history of the session.

type: keyword
zeek.connection.vlan: VLAN identifier.

type: integer
zeek.connection.inner_vlan: VLAN identifier.

type: integer

dce_rpc

Fields exported by the Zeek DCE_RPC log

zeek.dce_rpc.rtt: Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null.

type: integer
zeek.dce_rpc.named_pipe: Remote pipe name.

type: keyword
zeek.dce_rpc.endpoint: Endpoint name looked up from the uuid.

type: keyword
zeek.dce_rpc.operation: Operation seen in the call.

type: keyword

dhcp

Fields exported by the Zeek DHCP log

zeek.dhcp.domain: Domain given by the server in option 15.

type: keyword
zeek.dhcp.duration: Duration of the DHCP session representing the time from the first message to the last, in seconds.

type: double
zeek.dhcp.hostname: Name given by client in Hostname option 12.

type: keyword
zeek.dhcp.client_fqdn: FQDN given by client in Client FQDN option 81.

type: keyword
zeek.dhcp.lease_time: IP address lease interval in seconds.

type: integer

address

Addresses seen in this DHCP exchange.

zeek.dhcp.address.assigned: IP address assigned by the server.

type: ip
zeek.dhcp.address.client: IP address of the client. If a transaction is only a client sending INFORM messages then there is no lease information exchanged so this is helpful to know who sent the messages. Getting an address in this field does require that the client sources at least one DHCP message using a non-broadcast address.

type: ip
zeek.dhcp.address.mac: Client’s hardware address.

type: keyword
zeek.dhcp.address.requested: IP address requested by the client.

type: ip
zeek.dhcp.address.server: IP address of the DHCP server.

type: ip
zeek.dhcp.msg.types: List of DHCP message types seen in this exchange.

type: keyword
zeek.dhcp.msg.origin: (present if policy/protocols/dhcp/msg-orig.bro is loaded) The address that originated each message from the msg.types field.

type: ip
zeek.dhcp.msg.client: Message typically accompanied with a DHCP_DECLINE so the client can tell the server why it rejected an address.

type: keyword
zeek.dhcp.msg.server: Message typically accompanied with a DHCP_NAK to let the client know why it rejected the request.

type: keyword
zeek.dhcp.software.client: (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option.

type: keyword
zeek.dhcp.software.server: (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option.

type: keyword
zeek.dhcp.id.circuit: (present if policy/protocols/dhcp/sub-opts.bro is loaded) Added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. Typically it should represent a router or switch interface number.

type: keyword
zeek.dhcp.id.remote_agent: (present if policy/protocols/dhcp/sub-opts.bro is loaded) A globally unique identifier added by relay agents to identify the remote host end of the circuit.

type: keyword
zeek.dhcp.id.subscriber: (present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer’s DHCP configuration can be given to them correctly no matter where they are physically connected.

type: keyword

dnp3

Fields exported by the Zeek DNP3 log

zeek.dnp3.function.request: The name of the function message in the request.

type: keyword
zeek.dnp3.function.reply: The name of the function message in the reply.

type: keyword
zeek.dnp3.id: The response’s internal indication number.

type: integer

dns

Fields exported by the Zeek DNS log

zeek.dns.trans_id: DNS transaction identifier.

type: keyword
zeek.dns.rtt: Round trip time for the query and response.

type: double
zeek.dns.query: The domain name that is the subject of the DNS query.

type: keyword
zeek.dns.qclass: The QCLASS value specifying the class of the query.

type: long
zeek.dns.qclass_name: A descriptive name for the class of the query.

type: keyword
zeek.dns.qtype: A QTYPE value specifying the type of the query.

type: long
zeek.dns.qtype_name: A descriptive name for the type of the query.

type: keyword
zeek.dns.rcode: The response code value in DNS response messages.

type: long
zeek.dns.rcode_name: A descriptive name for the response code value.

type: keyword
zeek.dns.AA: The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.

type: boolean
zeek.dns.TC: The Truncation bit specifies that the message was truncated.

type: boolean
zeek.dns.RD: The Recursion Desired bit in a request message indicates that the client wants recursive service for this query.

type: boolean
zeek.dns.RA: The Recursion Available bit in a response message indicates that the name server supports recursive queries.

type: boolean
zeek.dns.answers: The set of resource descriptions in the query answer.

type: keyword
zeek.dns.TTLs: The caching intervals of the associated RRs described by the answers field.

type: double
zeek.dns.rejected: Indicates whether the DNS query was rejected by the server.

type: boolean
zeek.dns.total_answers: The total number of resource records in the reply.

type: integer
zeek.dns.total_replies: The total number of resource records in the reply message.

type: integer
zeek.dns.saw_query: Whether the full DNS query has been seen.

type: boolean
zeek.dns.saw_reply: Whether the full DNS reply has been seen.

type: boolean

dpd

Fields exported by the Zeek DPD log

zeek.dpd.analyzer: The analyzer that generated the violation.

type: keyword
zeek.dpd.failure_reason: The textual reason for the analysis failure.

type: keyword
zeek.dpd.packet_segment: (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) A chunk of the payload that most likely resulted in the protocol violation.

type: keyword

files

Fields exported by the Zeek Files log.

zeek.files.fuid: A file unique identifier.

type: keyword
zeek.files.tx_host: The host that transferred the file.

type: ip
zeek.files.rx_host: The host that received the file.

type: ip
zeek.files.session_ids: The sessions that have this file.

type: keyword
zeek.files.source: An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.

type: keyword
zeek.files.depth: A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection.

type: long
zeek.files.analyzers: A set of analysis types done during the file analysis.

type: keyword
zeek.files.mime_type: Mime type of the file.

type: keyword
zeek.files.filename: Name of the file if available.

type: keyword
zeek.files.local_orig: If the source of this file is a network connection, this field indicates if the data originated from the local network or not.

type: boolean
zeek.files.is_orig: If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.

type: boolean
zeek.files.duration: The duration the file was analyzed for. Not the duration of the session.

type: double
zeek.files.seen_bytes: Number of bytes provided to the file analysis engine for the file.

type: long
zeek.files.total_bytes: Total number of bytes that are supposed to comprise the full file.

type: long
zeek.files.missing_bytes: The number of bytes in the file stream that were completely missed during the process of analysis.

type: long
zeek.files.overflow_bytes: The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled.

type: long
zeek.files.timedout: Whether the file analysis timed out at least once for the file.

type: boolean
zeek.files.parent_fuid: Identifier associated with a container file from which this one was extracted as part of the file analysis.

type: keyword
zeek.files.md5: An MD5 digest of the file contents.

type: keyword
zeek.files.sha1: A SHA1 digest of the file contents.

type: keyword
zeek.files.sha256: A SHA256 digest of the file contents.

type: keyword
zeek.files.extracted: Local filename of extracted file.

type: keyword
zeek.files.extracted_cutoff: Indicate whether the file being extracted was cut off hence not extracted completely.

type: boolean
zeek.files.extracted_size: The number of bytes extracted to disk.

type: long
zeek.files.entropy: The information density of the contents of the file.

type: double

ftp

Fields exported by the Zeek FTP log

zeek.ftp.user: User name for the current FTP session.

type: keyword
zeek.ftp.password: Password for the current FTP session if captured.

type: keyword
zeek.ftp.command: Command given by the client.

type: keyword
zeek.ftp.arg: Argument for the command if one is given.

type: keyword
zeek.ftp.file.size: Size of the file if the command indicates a file transfer.

type: long
zeek.ftp.file.mime_type: Sniffed mime type of file.

type: keyword
zeek.ftp.file.fuid: (present if base/protocols/ftp/files.bro is loaded) File unique ID.

type: keyword
zeek.ftp.reply.code: Reply code from the server in response to the command.

type: integer
zeek.ftp.reply.msg: Reply message from the server in response to the command.

type: keyword

data_channel

Expected FTP data channel.

zeek.ftp.data_channel.passive: Whether PASV mode is toggled for control channel.

type: boolean
zeek.ftp.data_channel.originating_host: The host that will be initiating the data connection.

type: ip
zeek.ftp.data_channel.response_host: The host that will be accepting the data connection.

type: ip
zeek.ftp.data_channel.response_port: The port at which the acceptor is listening for the data connection.

type: integer
zeek.ftp.cwd: Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use.

type: keyword

cmdarg

Command that is currently waiting for a response.

zeek.ftp.cmdarg.cmd: Command.

type: keyword
zeek.ftp.cmdarg.arg: Argument for the command if one was given.

type: keyword
zeek.ftp.cmdarg.seq: Counter to track how many commands have been executed.

type: integer
zeek.ftp.pending_commands: Queue for commands that have been sent but not yet responded to are tracked here.

type: integer
zeek.ftp.passive: Indicates if the session is in active or passive mode.

type: boolean
zeek.ftp.capture_password: Determines if the password will be captured for this request.

type: boolean
zeek.ftp.last_auth_requested: present if base/protocols/ftp/gridftp.bro is loaded. Last authentication/security mechanism that was used.

type: keyword

http

Fields exported by the Zeek HTTP log

zeek.http.trans_depth: Represents the pipelined depth into the connection of this request/response transaction.

type: integer
zeek.http.status_msg: Status message returned by the server.

type: keyword
zeek.http.info_code: Last seen 1xx informational reply code returned by the server.

type: integer
zeek.http.info_msg: Last seen 1xx informational reply message returned by the server.

type: keyword
zeek.http.tags: A set of indicators of various attributes discovered and related to a particular request/response pair.

type: keyword
zeek.http.password: Password if basic-auth is performed for the request.

type: keyword
zeek.http.captured_password: Determines if the password will be captured for this request.

type: boolean
zeek.http.proxied: All of the headers that may indicate if the HTTP request was proxied.

type: keyword
zeek.http.range_request: Indicates if this request can assume 206 partial content in response.

type: boolean
zeek.http.client_header_names: The vector of HTTP header names sent by the client. No header values are included here, just the header names.

type: keyword
zeek.http.server_header_names: The vector of HTTP header names sent by the server. No header values are included here, just the header names.

type: keyword
zeek.http.orig_fuids: An ordered vector of file unique IDs from the originator.

type: keyword
zeek.http.orig_mime_types: An ordered vector of mime types from the originator.

type: keyword
zeek.http.orig_filenames: An ordered vector of filenames from the originator.

type: keyword
zeek.http.resp_fuids: An ordered vector of file unique IDs from the responder.

type: keyword
zeek.http.resp_mime_types: An ordered vector of mime types from the responder.

type: keyword
zeek.http.resp_filenames: An ordered vector of filenames from the responder.

type: keyword
zeek.http.orig_mime_depth: Current number of MIME entities in the HTTP request message body.

type: integer
zeek.http.resp_mime_depth: Current number of MIME entities in the HTTP response message body.

type: integer

intel

Fields exported by the Zeek Intel log.

zeek.intel.seen.indicator: The intelligence indicator.

type: keyword
zeek.intel.seen.indicator_type: The type of data the indicator represents.

type: keyword
zeek.intel.seen.host: If the indicator type was Intel::ADDR, then this field will be present.

type: keyword
zeek.intel.seen.conn: If the data was discovered within a connection, the connection record should go here to give context to the data.

type: keyword
zeek.intel.seen.where: Where the data was discovered.

type: keyword
zeek.intel.seen.node: The name of the node where the match was discovered.

type: keyword
zeek.intel.seen.uid: If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.

type: keyword
zeek.intel.seen.f: If the data was discovered within a file, the file record should go here to provide context to the data.

type: object
zeek.intel.seen.fuid: If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out.

type: keyword
zeek.intel.matched: Event to represent a match in the intelligence data from data that was seen.

type: keyword
zeek.intel.sources: Sources which supplied data for this match.

type: keyword
zeek.intel.fuid: If a file was associated with this intelligence hit, this is the uid for the file.

type: keyword
zeek.intel.file_mime_type: A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out.

type: keyword
zeek.intel.file_desc: Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out.

type: keyword

irc

Fields exported by the Zeek IRC log

zeek.irc.nick: Nickname given for the connection.

type: keyword
zeek.irc.user: Username given for the connection.

type: keyword
zeek.irc.command: Command given by the client.

type: keyword
zeek.irc.value: Value for the command given by the client.

type: keyword
zeek.irc.addl: Any additional data for the command.

type: keyword
zeek.irc.dcc.file.name: Present if base/protocols/irc/dcc-send.bro is loaded. DCC filename requested.

type: keyword
zeek.irc.dcc.file.size: Present if base/protocols/irc/dcc-send.bro is loaded. Size of the DCC transfer as indicated by the sender.

type: long
zeek.irc.dcc.mime_type: present if base/protocols/irc/dcc-send.bro is loaded. Sniffed mime type of the file.

type: keyword
zeek.irc.fuid: present if base/protocols/irc/files.bro is loaded. File unique ID.

type: keyword

kerberos

Fields exported by the Zeek Kerberos log

zeek.kerberos.request_type: Request type - Authentication Service (AS) or Ticket Granting Service (TGS).

type: keyword
zeek.kerberos.client: Client name.

type: keyword
zeek.kerberos.service: Service name.

type: keyword
zeek.kerberos.success: Request result.

type: boolean
zeek.kerberos.error.code: Error code.

type: integer
zeek.kerberos.error.msg: Error message.

type: keyword
zeek.kerberos.valid.from: Ticket valid from.

type: date
zeek.kerberos.valid.until: Ticket valid until.

type: date
zeek.kerberos.valid.days: Number of days the ticket is valid for.

type: integer
zeek.kerberos.cipher: Ticket encryption type.

type: keyword
zeek.kerberos.forwardable: Forwardable ticket requested.

type: boolean
zeek.kerberos.renewable: Renewable ticket requested.

type: boolean
zeek.kerberos.ticket.auth: Hash of ticket used to authorize request/transaction.

type: keyword
zeek.kerberos.ticket.new: Hash of ticket returned by the KDC.

type: keyword
zeek.kerberos.cert.client.value: Client certificate.

type: keyword
zeek.kerberos.cert.client.fuid: File unique ID of client cert.

type: keyword
zeek.kerberos.cert.client.subject: Subject of client certificate.

type: keyword
zeek.kerberos.cert.server.value: Server certificate.

type: keyword
zeek.kerberos.cert.server.fuid: File unique ID of server certificate.

type: keyword
zeek.kerberos.cert.server.subject: Subject of server certificate.

type: keyword

modbus

Fields exported by the Zeek modbus log.

zeek.modbus.function: The name of the function message that was sent.

type: keyword
zeek.modbus.exception: The exception if the response was a failure.

type: keyword
zeek.modbus.track_address: Present if policy/protocols/modbus/track-memmap.bro is loaded. Modbus track address.

type: integer

mysql

Fields exported by the Zeek MySQL log.

zeek.mysql.cmd: The command that was issued.

type: keyword
zeek.mysql.arg: The argument issued to the command.

type: keyword
zeek.mysql.success: Whether the command succeeded.

type: boolean
zeek.mysql.rows: The number of affected rows, if any.

type: integer
zeek.mysql.response: Server message, if any.

type: keyword

notice

Fields exported by the Zeek Notice log.

zeek.notice.connection_id: Identifier of the related connection session.

type: keyword
zeek.notice.icmp_id: Identifier of the related ICMP session.

type: keyword
zeek.notice.file.id: An identifier associated with a single file that is related to this notice.

type: keyword
zeek.notice.file.parent_id: Identifier associated with a container file from which this one was extracted.

type: keyword
zeek.notice.file.source: An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.

type: keyword
zeek.notice.file.mime_type: A mime type if the notice is related to a file.

type: keyword
zeek.notice.file.is_orig: If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.

type: boolean
zeek.notice.file.seen_bytes: Number of bytes provided to the file analysis engine for the file.

type: long
zeek.notice.ffile.total_bytes: Total number of bytes that are supposed to comprise the full file.

type: long
zeek.notice.file.missing_bytes: The number of bytes in the file stream that were completely missed during the process of analysis.

type: long
zeek.notice.file.overflow_bytes: The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled.

type: long
zeek.notice.fuid: A file unique ID if this notice is related to a file.

type: keyword
zeek.notice.note: The type of the notice.

type: keyword
zeek.notice.msg: The human readable message for the notice.

type: keyword
zeek.notice.sub: The human readable sub-message.

type: keyword
zeek.notice.n: Associated count, or a status code.

type: long
zeek.notice.peer_name: Name of remote peer that raised this notice.

type: keyword
zeek.notice.peer_descr: Textual description for the peer that raised this notice.

type: text
zeek.notice.actions: The actions which have been applied to this notice.

type: keyword
zeek.notice.email_body_sections: By adding chunks of text into this element, other scripts can expand on notices that are being emailed.

type: text
zeek.notice.email_delay_tokens: Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration.

type: keyword
zeek.notice.identifier: This field is provided when a notice is generated for the purpose of deduplicating notices.

type: keyword
zeek.notice.suppress_for: This field indicates the length of time that this unique notice should be suppressed.

type: double
zeek.notice.dropped: Indicate if the source IP address was dropped and denied network access.

type: boolean

ntlm

Fields exported by the Zeek NTLM log.

zeek.ntlm.domain: Domain name given by the client.

type: keyword
zeek.ntlm.hostname: Hostname given by the client.

type: keyword
zeek.ntlm.success: Indicate whether or not the authentication was successful.

type: boolean
zeek.ntlm.username: Username given by the client.

type: keyword
zeek.ntlm.server.name.dns: DNS name given by the server in a CHALLENGE.

type: keyword
zeek.ntlm.server.name.netbios: NetBIOS name given by the server in a CHALLENGE.

type: keyword
zeek.ntlm.server.name.tree: Tree name given by the server in a CHALLENGE.

type: keyword

ntp

Fields exported by the Zeek NTP log.

zeek.ntp.version: The NTP version number (1, 2, 3, 4).

type: integer
zeek.ntp.mode: The NTP mode being used.

type: integer
zeek.ntp.stratum: The stratum (primary server, secondary server, etc.).

type: integer
zeek.ntp.poll: The maximum interval between successive messages in seconds.

type: double
zeek.ntp.precision: The precision of the system clock in seconds.

type: double
zeek.ntp.root_delay: Total round-trip delay to the reference clock in seconds.

type: double
zeek.ntp.root_disp: Total dispersion to the reference clock in seconds.

type: double
zeek.ntp.ref_id: For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).

type: keyword
zeek.ntp.ref_time: Time when the system clock was last set or correct.

type: date
zeek.ntp.org_time: Time at the client when the request departed for the NTP server.

type: date
zeek.ntp.rec_time: Time at the server when the request arrived from the NTP client.

type: date
zeek.ntp.xmt_time: Time at the server when the response departed for the NTP client.

type: date
zeek.ntp.num_exts: Number of extension fields (which are not currently parsed).

type: integer

ocsp

Fields exported by the Zeek OCSP log Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.

zeek.ocsp.file_id: File id of the OCSP reply.

type: keyword
zeek.ocsp.hash.algorithm: Hash algorithm used to generate issuerNameHash and issuerKeyHash.

type: keyword
zeek.ocsp.hash.issuer.name: Hash of the issuer’s distingueshed name.

type: keyword
zeek.ocsp.hash.issuer.key: Hash of the issuer’s public key.

type: keyword
zeek.ocsp.serial_number: Serial number of the affected certificate.

type: keyword
zeek.ocsp.status: Status of the affected certificate.

type: keyword
zeek.ocsp.revoke.time: Time at which the certificate was revoked.

type: date
zeek.ocsp.revoke.reason: Reason for which the certificate was revoked.

type: keyword
zeek.ocsp.update.this: The time at which the status being shows is known to have been correct.

type: date
zeek.ocsp.update.next: The latest time at which new information about the status of the certificate will be available.

type: date

pe

Fields exported by the Zeek pe log.

zeek.pe.client: The client’s version string.

type: keyword
zeek.pe.id: File id of this portable executable file.

type: keyword
zeek.pe.machine: The target machine that the file was compiled for.

type: keyword
zeek.pe.compile_time: The time that the file was created at.

type: date
zeek.pe.os: The required operating system.

type: keyword
zeek.pe.subsystem: The subsystem that is required to run this file.

type: keyword
zeek.pe.is_exe: Is the file an executable, or just an object file?

type: boolean
zeek.pe.is_64bit: Is the file a 64-bit executable?

type: boolean
zeek.pe.uses_aslr: Does the file support Address Space Layout Randomization?

type: boolean
zeek.pe.uses_dep: Does the file support Data Execution Prevention?

type: boolean
zeek.pe.uses_code_integrity: Does the file enforce code integrity checks?

type: boolean
zeek.pe.uses_seh: Does the file use structured exception handing?

type: boolean
zeek.pe.has_import_table: Does the file have an import table?

type: boolean
zeek.pe.has_export_table: Does the file have an export table?

type: boolean
zeek.pe.has_cert_table: Does the file have an attribute certificate table?

type: boolean
zeek.pe.has_debug_data: Does the file have a debug table?

type: boolean
zeek.pe.section_names: The names of the sections, in order.

type: keyword

radius

Fields exported by the Zeek Radius log.

zeek.radius.username: The username, if present.

type: keyword
zeek.radius.mac: MAC address, if present.

type: keyword
zeek.radius.framed_addr: The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.

type: ip
zeek.radius.remote_ip: Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute.

type: ip
zeek.radius.connect_info: Connect info, if present.

type: keyword
zeek.radius.reply_msg: Reply message from the server challenge. This is frequently shown to the user authenticating.

type: keyword
zeek.radius.result: Successful or failed authentication.

type: keyword
zeek.radius.ttl: The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen.

type: integer
zeek.radius.logged: Whether this has already been logged and can be ignored.

type: boolean

rdp

Fields exported by the Zeek RDP log.

zeek.rdp.cookie: Cookie value used by the client machine. This is typically a username.

type: keyword
zeek.rdp.result: Status result for the connection. It’s a mix between RDP negotation failure messages and GCC server create response messages.

type: keyword
zeek.rdp.security_protocol: Security protocol chosen by the server.

type: keyword
zeek.rdp.keyboard_layout: Keyboard layout (language) of the client machine.

type: keyword
zeek.rdp.client.build: RDP client version used by the client machine.

type: keyword
zeek.rdp.client.client_name: Name of the client machine.

type: keyword
zeek.rdp.client.product_id: Product ID of the client machine.

type: keyword
zeek.rdp.desktop.width: Desktop width of the client machine.

type: integer
zeek.rdp.desktop.height: Desktop height of the client machine.

type: integer
zeek.rdp.desktop.color_depth: The color depth requested by the client in the high_color_depth field.

type: keyword
zeek.rdp.cert.type: If the connection is being encrypted with native RDP encryption, this is the type of cert being used.

type: keyword
zeek.rdp.cert.count: The number of certs seen. X.509 can transfer an entire certificate chain.

type: integer
zeek.rdp.cert.permanent: Indicates if the provided certificate or certificate chain is permanent or temporary.

type: boolean
zeek.rdp.encryption.level: Encryption level of the connection.

type: keyword
zeek.rdp.encryption.method: Encryption method of the connection.

type: keyword
zeek.rdp.done: Track status of logging RDP connections.

type: boolean
zeek.rdp.ssl: (present if policy/protocols/rdp/indicate_ssl.bro is loaded) Flag the connection if it was seen over SSL.

type: boolean

rfb

Fields exported by the Zeek RFB log.

zeek.rfb.version.client.major: Major version of the client.

type: keyword
zeek.rfb.version.client.minor: Minor version of the client.

type: keyword
zeek.rfb.version.server.major: Major version of the server.

type: keyword
zeek.rfb.version.server.minor: Minor version of the server.

type: keyword
zeek.rfb.auth.success: Whether or not authentication was successful.

type: boolean
zeek.rfb.auth.method: Identifier of authentication method used.

type: keyword
zeek.rfb.share_flag: Whether the client has an exclusive or a shared session.

type: boolean
zeek.rfb.desktop_name: Name of the screen that is being shared.

type: keyword
zeek.rfb.width: Width of the screen that is being shared.

type: integer
zeek.rfb.height: Height of the screen that is being shared.

type: integer

signature

Fields exported by the Zeek Signature log.

zeek.signature.note: Notice associated with signature event.

type: keyword
zeek.signature.sig_id: The name of the signature that matched.

type: keyword
zeek.signature.event_msg: A more descriptive message of the signature-matching event.

type: keyword
zeek.signature.sub_msg: Extracted payload data or extra message.

type: keyword
zeek.signature.sig_count: Number of sigs, usually from summary count.

type: integer
zeek.signature.host_count: Number of hosts, from a summary count.

type: integer

sip

Fields exported by the Zeek SIP log.

zeek.sip.transaction_depth: Represents the pipelined depth into the connection of this request/response transaction.

type: integer
zeek.sip.sequence.method: Verb used in the SIP request (INVITE, REGISTER etc.).

type: keyword
zeek.sip.sequence.number: Contents of the CSeq: header from the client.

type: keyword
zeek.sip.uri: URI used in the request.

type: keyword
zeek.sip.date: Contents of the Date: header from the client.

type: keyword
zeek.sip.request.from: Contents of the request From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

type: keyword
zeek.sip.request.to: Contents of the To: header.

type: keyword
zeek.sip.request.path: The client message transmission path, as extracted from the headers.

type: keyword
zeek.sip.request.body_length: Contents of the Content-Length: header from the client.

type: long
zeek.sip.response.from: Contents of the response From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

type: keyword
zeek.sip.response.to: Contents of the response To: header.

type: keyword
zeek.sip.response.path: The server message transmission path, as extracted from the headers.

type: keyword
zeek.sip.response.body_length: Contents of the Content-Length: header from the server.

type: long
zeek.sip.reply_to: Contents of the Reply-To: header.

type: keyword
zeek.sip.call_id: Contents of the Call-ID: header from the client.

type: keyword
zeek.sip.subject: Contents of the Subject: header from the client.

type: keyword
zeek.sip.user_agent: Contents of the User-Agent: header from the client.

type: keyword
zeek.sip.status.code: Status code returned by the server.

type: integer
zeek.sip.status.msg: Status message returned by the server.

type: keyword
zeek.sip.warning: Contents of the Warning: header.

type: keyword
zeek.sip.content_type: Contents of the Content-Type: header from the server.

type: keyword

smb_cmd

Fields exported by the Zeek smb_cmd log.

zeek.smb_cmd.command: The command sent by the client.

type: keyword
zeek.smb_cmd.sub_command: The subcommand sent by the client, if present.

type: keyword
zeek.smb_cmd.argument: Command argument sent by the client, if any.

type: keyword
zeek.smb_cmd.status: Server reply to the client’s command.

type: keyword
zeek.smb_cmd.rtt: Round trip time from the request to the response.

type: double
zeek.smb_cmd.version: Version of SMB for the command.

type: keyword
zeek.smb_cmd.username: Authenticated username, if available.

type: keyword
zeek.smb_cmd.tree: If this is related to a tree, this is the tree that was used for the current command.

type: keyword
zeek.smb_cmd.tree_service: The type of tree (disk share, printer share, named pipe, etc.).

type: keyword

file

If the command referenced a file, store it here.

zeek.smb_cmd.file.name: Filename if one was seen.

type: keyword
zeek.smb_cmd.file.action: Action this log record represents.

type: keyword
zeek.smb_cmd.file.uid: UID of the referenced file.

type: keyword
zeek.smb_cmd.file.host.tx: Address of the transmitting host.

type: ip
zeek.smb_cmd.file.host.rx: Address of the receiving host.

type: ip
zeek.smb_cmd.smb1_offered_dialects: Present if base/protocols/smb/smb1-main.bro is loaded. Dialects offered by the client.

type: keyword
zeek.smb_cmd.smb2_offered_dialects: Present if base/protocols/smb/smb2-main.bro is loaded. Dialects offered by the client.

type: integer

smb_files

Fields exported by the Zeek SMB Files log.

zeek.smb_files.action: Action this log record represents.

type: keyword
zeek.smb_files.fid: ID referencing this file.

type: integer
zeek.smb_files.name: Filename if one was seen.

type: keyword
zeek.smb_files.path: Path pulled from the tree this file was transferred to or from.

type: keyword
zeek.smb_files.previous_name: If the rename action was seen, this will be the file’s previous name.

type: keyword
zeek.smb_files.size: Byte size of the file.

type: long

times

Timestamps of the file.

zeek.smb_files.times.accessed: The file’s access time.

type: date
zeek.smb_files.times.changed: The file’s change time.

type: date
zeek.smb_files.times.created: The file’s create time.

type: date
zeek.smb_files.times.modified: The file’s modify time.

type: date
zeek.smb_files.uuid: UUID referencing this file if DCE/RPC.

type: keyword

smb_mapping

Fields exported by the Zeek SMB_Mapping log.

zeek.smb_mapping.path: Name of the tree path.

type: keyword
zeek.smb_mapping.service: The type of resource of the tree (disk share, printer share, named pipe, etc.).

type: keyword
zeek.smb_mapping.native_file_system: File system of the tree.

type: keyword
zeek.smb_mapping.share_type: If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.

type: keyword

smtp

Fields exported by the Zeek SMTP log.

zeek.smtp.transaction_depth: A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.

type: integer
zeek.smtp.helo: Contents of the Helo header.

type: keyword
zeek.smtp.mail_from: Email addresses found in the MAIL FROM header.

type: keyword
zeek.smtp.rcpt_to: Email addresses found in the RCPT TO header.

type: keyword
zeek.smtp.date: Contents of the Date header.

type: date
zeek.smtp.from: Contents of the From header.

type: keyword
zeek.smtp.to: Contents of the To header.

type: keyword
zeek.smtp.cc: Contents of the CC header.

type: keyword
zeek.smtp.reply_to: Contents of the ReplyTo header.

type: keyword
zeek.smtp.msg_id: Contents of the MsgID header.

type: keyword
zeek.smtp.in_reply_to: Contents of the In-Reply-To header.

type: keyword
zeek.smtp.subject: Contents of the Subject header.

type: keyword
zeek.smtp.x_originating_ip: Contents of the X-Originating-IP header.

type: keyword
zeek.smtp.first_received: Contents of the first Received header.

type: keyword
zeek.smtp.second_received: Contents of the second Received header.

type: keyword
zeek.smtp.last_reply: The last message that the server sent to the client.

type: keyword
zeek.smtp.path: The message transmission path, as extracted from the headers.

type: ip
zeek.smtp.user_agent: Value of the User-Agent header from the client.

type: keyword
zeek.smtp.tls: Indicates that the connection has switched to using TLS.

type: boolean
zeek.smtp.process_received_from: Indicates if the "Received: from" headers should still be processed.

type: boolean
zeek.smtp.has_client_activity: Indicates if client activity has been seen, but not yet logged.

type: boolean
zeek.smtp.fuids: (present if base/protocols/smtp/files.bro is loaded) An ordered vector of file unique IDs seen attached to the message.

type: keyword
zeek.smtp.is_webmail: Indicates if the message was sent through a webmail interface.

type: boolean

snmp

Fields exported by the Zeek SNMP log.

zeek.snmp.duration: The amount of time between the first packet beloning to the SNMP session and the latest one seen.

type: double
zeek.snmp.version: The version of SNMP being used.

type: keyword
zeek.snmp.community: The community string of the first SNMP packet associated with the session. This is used as part of SNMP’s (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901.

type: keyword
zeek.snmp.get.requests: The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session.

type: integer
zeek.snmp.get.bulk_requests: The number of variable bindings in GetBulkRequest PDUs seen for the session.

type: integer
zeek.snmp.get.responses: The number of variable bindings in GetResponse/Response PDUs seen for the session.

type: integer
zeek.snmp.set.requests: The number of variable bindings in SetRequest PDUs seen for the session.

type: integer
zeek.snmp.display_string: A system description of the SNMP responder endpoint.

type: keyword
zeek.snmp.up_since: The time at which the SNMP responder endpoint claims it’s been up since.

type: date

socks

Fields exported by the Zeek SOCKS log.

zeek.socks.version: Protocol version of SOCKS.

type: integer
zeek.socks.user: Username used to request a login to the proxy.

type: keyword
zeek.socks.password: Password used to request a login to the proxy.

type: keyword
zeek.socks.status: Server status for the attempt at using the proxy.

type: keyword
zeek.socks.request.host: Client requested SOCKS address. Could be an address, a name or both.

type: keyword
zeek.socks.request.port: Client requested port.

type: integer
zeek.socks.bound.host: Server bound address. Could be an address, a name or both.

type: keyword
zeek.socks.bound.port: Server bound port.

type: integer
zeek.socks.capture_password: Determines if the password will be captured for this request.

type: boolean

ssh

Fields exported by the Zeek SSH log.

zeek.ssh.client: The client’s version string.

type: keyword
zeek.ssh.direction: Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation.

type: keyword
zeek.ssh.host_key: The server’s key thumbprint.

type: keyword
zeek.ssh.server: The server’s version string.

type: keyword
zeek.ssh.version: SSH major version (1 or 2).

type: integer

algorithm

Cipher algorithms used in this session.

zeek.ssh.algorithm.cipher: The encryption algorithm in use.

type: keyword
zeek.ssh.algorithm.compression: The compression algorithm in use.

type: keyword
zeek.ssh.algorithm.host_key: The server host key’s algorithm.

type: keyword
zeek.ssh.algorithm.key_exchange: The key exchange algorithm in use.

type: keyword
zeek.ssh.algorithm.mac: The signing (MAC) algorithm in use.

type: keyword
zeek.ssh.auth.attempts: The number of authentication attemps we observed. There’s always at least one, since some servers might support no authentication at all. It’s important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey).

type: integer
zeek.ssh.auth.success: Authentication result.

type: boolean

ssl

Fields exported by the Zeek SSL log.

zeek.ssl.version: SSL/TLS version that was logged.

type: keyword
zeek.ssl.cipher: SSL/TLS cipher suite that was logged.

type: keyword
zeek.ssl.curve: Elliptic curve that was logged when using ECDH/ECDHE.

type: keyword
zeek.ssl.resumed: Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection.

type: boolean
zeek.ssl.next_protocol: Next protocol the server chose using the application layer next protocol extension.

type: keyword
zeek.ssl.established: Flag to indicate if this ssl session has been established successfully.

type: boolean
zeek.ssl.validation.status: Result of certificate validation for this connection.

type: keyword
zeek.ssl.validation.code: Result of certificate validation for this connection, given as OpenSSL validation code.

type: keyword
zeek.ssl.last_alert: Last alert that was seen during the connection.

type: keyword
zeek.ssl.server.name: Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting.

type: keyword
zeek.ssl.server.cert_chain: Chain of certificates offered by the server to validate its complete signing chain.

type: keyword
zeek.ssl.server.cert_chain_fuids: An ordered vector of certificate file identifiers for the certificates offered by the server.

type: keyword

issuer

Subject of the signer of the X.509 certificate offered by the server.

zeek.ssl.server.issuer.common_name: Common name of the signer of the X.509 certificate offered by the server.

type: keyword
zeek.ssl.server.issuer.country: Country code of the signer of the X.509 certificate offered by the server.

type: keyword
zeek.ssl.server.issuer.locality: Locality of the signer of the X.509 certificate offered by the server.

type: keyword
zeek.ssl.server.issuer.organization: Organization of the signer of the X.509 certificate offered by the server.

type: keyword
zeek.ssl.server.issuer.organizational_unit: Organizational unit of the signer of the X.509 certificate offered by the server.

type: keyword
zeek.ssl.server.issuer.state: State or province name of the signer of the X.509 certificate offered by the server.

type: keyword

subject

Subject of the X.509 certificate offered by the server.

zeek.ssl.server.subject.common_name: Common name of the X.509 certificate offered by the server.

type: keyword
zeek.ssl.server.subject.country: Country code of the X.509 certificate offered by the server.

type: keyword
zeek.ssl.server.subject.locality: Locality of the X.509 certificate offered by the server.

type: keyword
zeek.ssl.server.subject.organization: Organization of the X.509 certificate offered by the server.

type: keyword
zeek.ssl.server.subject.organizational_unit: Organizational unit of the X.509 certificate offered by the server.

type: keyword
zeek.ssl.server.subject.state: State or province name of the X.509 certificate offered by the server.

type: keyword
zeek.ssl.client.cert_chain: Chain of certificates offered by the client to validate its complete signing chain.

type: keyword
zeek.ssl.client.cert_chain_fuids: An ordered vector of certificate file identifiers for the certificates offered by the client.

type: keyword

issuer

Subject of the signer of the X.509 certificate offered by the client.

zeek.ssl.client.issuer.common_name: Common name of the signer of the X.509 certificate offered by the client.

type: keyword
zeek.ssl.client.issuer.country: Country code of the signer of the X.509 certificate offered by the client.

type: keyword
zeek.ssl.client.issuer.locality: Locality of the signer of the X.509 certificate offered by the client.

type: keyword
zeek.ssl.client.issuer.organization: Organization of the signer of the X.509 certificate offered by the client.

type: keyword
zeek.ssl.client.issuer.organizational_unit: Organizational unit of the signer of the X.509 certificate offered by the client.

type: keyword
zeek.ssl.client.issuer.state: State or province name of the signer of the X.509 certificate offered by the client.

type: keyword

subject

Subject of the X.509 certificate offered by the client.

zeek.ssl.client.subject.common_name: Common name of the X.509 certificate offered by the client.

type: keyword
zeek.ssl.client.subject.country: Country code of the X.509 certificate offered by the client.

type: keyword
zeek.ssl.client.subject.locality: Locality of the X.509 certificate offered by the client.

type: keyword
zeek.ssl.client.subject.organization: Organization of the X.509 certificate offered by the client.

type: keyword
zeek.ssl.client.subject.organizational_unit: Organizational unit of the X.509 certificate offered by the client.

type: keyword
zeek.ssl.client.subject.state: State or province name of the X.509 certificate offered by the client.

type: keyword

stats

Fields exported by the Zeek stats log.

zeek.stats.peer: Peer that generated this log. Mostly for clusters.

type: keyword
zeek.stats.memory: Amount of memory currently in use in MB.

type: integer
zeek.stats.packets.processed: Number of packets processed since the last stats interval.

type: long
zeek.stats.packets.dropped: Number of packets dropped since the last stats interval if reading live traffic.

type: long
zeek.stats.packets.received: Number of packets seen on the link since the last stats interval if reading live traffic.

type: long
zeek.stats.bytes.received: Number of bytes received since the last stats interval if reading live traffic.

type: long
zeek.stats.connections.tcp.active: TCP connections currently in memory.

type: integer
zeek.stats.connections.tcp.count: TCP connections seen since last stats interval.

type: integer
zeek.stats.connections.udp.active: UDP connections currently in memory.

type: integer
zeek.stats.connections.udp.count: UDP connections seen since last stats interval.

type: integer
zeek.stats.connections.icmp.active: ICMP connections currently in memory.

type: integer
zeek.stats.connections.icmp.count: ICMP connections seen since last stats interval.

type: integer
zeek.stats.events.processed: Number of events processed since the last stats interval.

type: integer
zeek.stats.events.queued: Number of events that have been queued since the last stats interval.

type: integer
zeek.stats.timers.count: Number of timers scheduled since last stats interval.

type: integer
zeek.stats.timers.active: Current number of scheduled timers.

type: integer
zeek.stats.files.count: Number of files seen since last stats interval.

type: integer
zeek.stats.files.active: Current number of files actively being seen.

type: integer
zeek.stats.dns_requests.count: Number of DNS requests seen since last stats interval.

type: integer
zeek.stats.dns_requests.active: Current number of DNS requests awaiting a reply.

type: integer
zeek.stats.reassembly_size.tcp: Current size of TCP data in reassembly.

type: integer
zeek.stats.reassembly_size.file: Current size of File data in reassembly.

type: integer
zeek.stats.reassembly_size.frag: Current size of packet fragment data in reassembly.

type: integer
zeek.stats.reassembly_size.unknown: Current size of unknown data in reassembly (this is only PIA buffer right now).

type: integer
zeek.stats.timestamp_lag: Lag between the wall clock and packet timestamps if reading live traffic.

type: integer

syslog

Fields exported by the Zeek syslog log.

zeek.syslog.facility: Syslog facility for the message.

type: keyword
zeek.syslog.severity: Syslog severity for the message.

type: keyword
zeek.syslog.message: The plain text message.

type: keyword

tunnel

Fields exported by the Zeek SSH log.

zeek.tunnel.type: The type of tunnel.

type: keyword
zeek.tunnel.action: The type of activity that occurred.

type: keyword

weird

Fields exported by the Zeek Weird log.

zeek.weird.name: The name of the weird that occurred.

type: keyword
zeek.weird.additional_info: Additional information accompanying the weird if any.

type: keyword
zeek.weird.notice: Indicate if this weird was also turned into a notice.

type: boolean
zeek.weird.peer: The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble.

type: keyword
zeek.weird.identifier: This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird.

type: keyword

x509

Fields exported by the Zeek x509 log.

zeek.x509.id: File id of this certificate.

type: keyword

certificate

Basic information about the certificate.

zeek.x509.certificate.version: Version number.

type: integer
zeek.x509.certificate.serial: Serial number.

type: keyword

subject

Subject.

zeek.x509.certificate.subject.country: Country provided in the certificate subject.

type: keyword
zeek.x509.certificate.subject.common_name: Common name provided in the certificate subject.

type: keyword
zeek.x509.certificate.subject.locality: Locality provided in the certificate subject.

type: keyword
zeek.x509.certificate.subject.organization: Organization provided in the certificate subject.

type: keyword
zeek.x509.certificate.subject.organizational_unit: Organizational unit provided in the certificate subject.

type: keyword
zeek.x509.certificate.subject.state: State or province provided in the certificate subject.

type: keyword

issuer

Issuer.

zeek.x509.certificate.issuer.country: Country provided in the certificate issuer field.

type: keyword
zeek.x509.certificate.issuer.common_name: Common name provided in the certificate issuer field.

type: keyword
zeek.x509.certificate.issuer.locality: Locality provided in the certificate issuer field.

type: keyword
zeek.x509.certificate.issuer.organization: Organization provided in the certificate issuer field.

type: keyword
zeek.x509.certificate.issuer.organizational_unit: Organizational unit provided in the certificate issuer field.

type: keyword
zeek.x509.certificate.issuer.state: State or province provided in the certificate issuer field.

type: keyword
zeek.x509.certificate.common_name: Last (most specific) common name.

type: keyword

valid

Certificate validity timestamps

zeek.x509.certificate.valid.from: Timestamp before when certificate is not valid.

type: date
zeek.x509.certificate.valid.until: Timestamp after when certificate is not valid.

type: date
zeek.x509.certificate.key.algorithm: Name of the key algorithm.

type: keyword
zeek.x509.certificate.key.type: Key type, if key parseable by openssl (either rsa, dsa or ec).

type: keyword
zeek.x509.certificate.key.length: Key length in bits.

type: integer
zeek.x509.certificate.signature_algorithm: Name of the signature algorithm.

type: keyword
zeek.x509.certificate.exponent: Exponent, if RSA-certificate.

type: keyword
zeek.x509.certificate.curve: Curve, if EC-certificate.

type: keyword

san

Subject alternative name extension of the certificate.

zeek.x509.san.dns: List of DNS entries in SAN.

type: keyword
zeek.x509.san.uri: List of URI entries in SAN.

type: keyword
zeek.x509.san.email: List of email entries in SAN.

type: keyword
zeek.x509.san.ip: List of IP entries in SAN.

type: ip
zeek.x509.san.other_fields: True if the certificate contained other, not recognized or parsed name fields.

type: boolean

basic_constraints

Basic constraints extension of the certificate.

zeek.x509.basic_constraints.certificate_authority: CA flag set or not.

type: boolean
zeek.x509.basic_constraints.path_length: Maximum path length.

type: integer
zeek.x509.log_cert: Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded Logging of certificate is suppressed if set to F.

type: boolean

ZooKeeper fields

ZooKeeper Module

zookeeper

audit

ZooKeeper Audit logs.

zookeeper.audit.session: Client session id

type: keyword
zookeeper.audit.znode: Path of the znode

type: keyword
zookeeper.audit.znode_type: Type of znode in case of creation operation

type: keyword
zookeeper.audit.acl: String representation of znode ACL like cdrwa(create, delete,read, write, admin). This is logged only for setAcl operation

type: keyword
zookeeper.audit.result: Result of the operation. Possible values are (success/failure/invoked). Result "invoked" is used for serverStop operation because stop is logged before ensuring that server actually stopped.

type: keyword
zookeeper.audit.user: Comma separated list of users who are associate with a client session

type: keyword

log

ZooKeeper logs.

Zoom fields

Module for handling incoming Zoom webhook requests

zoom

Module for parsing Zoom API Webhooks.

zoom.master_account_id: Master Account related to a specific Sub Account

type: keyword
zoom.sub_account_id: Related Sub Account

type: keyword
zoom.operator_id: UserID that triggered the event

type: keyword
zoom.operator: Username/Email related to the user that triggered the event

type: keyword
zoom.account_id: Related accountID to the event

type: keyword
zoom.timestamp: Timestamp related to the event

type: date
zoom.creation_type: Creation type

type: keyword
zoom.account.owner_id: UserID of the user whose sub account was created/disassociated

type: keyword
zoom.account.email: Email related to the user the action was performed on

type: keyword
zoom.account.owner_email: Email of the user whose sub account was created/disassociated

type: keyword
zoom.account.account_name: When an account name is updated, this is the new value set

type: keyword
zoom.account.account_alias: When an account alias is updated, this is the new value set

type: keyword
zoom.account.account_support_name: When an account support_name is updated, this is the new value set

type: keyword
zoom.account.account_support_email: When an account support_email is updated, this is the new value set

type: keyword
zoom.chat_channel.name: The name of the channel that has been added/modified/deleted

type: keyword
zoom.chat_channel.id: The ID of the channel that has been added/modified/deleted

type: keyword
zoom.chat_channel.type: Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public)

type: keyword
zoom.chat_message.id: Unique ID of the related chat message

type: keyword
zoom.chat_message.type: Type of message, can be either "to_contact" or "to_channel"

type: keyword
zoom.chat_message.session_id: SessionID for the channel related to the message

type: keyword
zoom.chat_message.contact_email: Email address related to the user sending the message

type: keyword
zoom.chat_message.contact_id: UserID belonging to the user receiving a message

type: keyword
zoom.chat_message.channel_id: ChannelID related to the message

type: keyword
zoom.chat_message.channel_name: Channel name related to the message

type: keyword
zoom.chat_message.message: A string containing the full message that was sent

type: keyword
zoom.meeting.id: Unique ID of the related meeting

type: keyword
zoom.meeting.uuid: The UUID of the related meeting

type: keyword
zoom.meeting.host_id: The UserID of the configured meeting host

type: keyword
zoom.meeting.topic: Topic of the related meeting

type: keyword
zoom.meeting.type: Type of meeting created

type: keyword
zoom.meeting.start_time: Date and time the meeting started

type: date
zoom.meeting.timezone: Which timezone is used for the meeting timestamps

type: keyword
zoom.meeting.duration: The duration of a meeting in minutes

type: long
zoom.meeting.issues: When a user reports an issue with the meeting, for example: "Unstable audio quality"

type: keyword
zoom.meeting.password: Password related to the meeting

type: keyword
zoom.phone.id: Unique ID for the phone or conversation

type: keyword
zoom.phone.user_id: UserID for the phone owner related to a Call Log being completed

type: keyword
zoom.phone.download_url: Download URL for the voicemail

type: keyword
zoom.phone.ringing_start_time: The timestamp when a ringtone was established to the callee

type: date
zoom.phone.connected_start_time: The date and time when a ringtone was established to the callee

type: date
zoom.phone.answer_start_time: The date and time when the call was answered

type: date
zoom.phone.call_end_time: The date and time when the call ended

type: date
zoom.phone.call_id: Unique ID of the related call

type: keyword
zoom.phone.duration: Duration of a voicemail in minutes

type: long
zoom.phone.caller.id: UserID of the caller related to the voicemail/call

type: keyword
zoom.phone.caller.user_id: UserID of the person which initiated the call

type: keyword
zoom.phone.caller.number_type: The type of number, can be 1(Internal) or 2(External)

type: keyword
zoom.phone.caller.name: The name of the related callee

type: keyword
zoom.phone.caller.phone_number: Phone Number of the caller related to the call

type: keyword
zoom.phone.caller.extension_type: Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup

type: keyword
zoom.phone.caller.extension_number: Extension number of the caller

type: keyword
zoom.phone.caller.timezone: Timezone of the caller

type: keyword
zoom.phone.caller.device_type: Device type used by the caller

type: keyword
zoom.phone.callee.id: UserID of the callee related to the voicemail/call

type: keyword
zoom.phone.callee.user_id: UserID of the related callee of a voicemail/call

type: keyword
zoom.phone.callee.name: The name of the related callee

type: keyword
zoom.phone.callee.number_type: The type of number, can be 1(Internal) or 2(External)

type: keyword
zoom.phone.callee.phone_number: Phone Number of the callee related to the call

type: keyword
zoom.phone.callee.extension_type: Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup

type: keyword
zoom.phone.callee.extension_number: Extension number of the callee related to the call

type: keyword
zoom.phone.callee.timezone: Timezone of the callee related to the call

type: keyword
zoom.phone.callee.device_type: Device type used by the callee related to the call

type: keyword
zoom.phone.date_time: Date and time of the related phone event

type: date
zoom.recording.id: Unique ID of the related recording

type: keyword
zoom.recording.uuid: UUID of the related recording

type: keyword
zoom.recording.host_id: UserID of the host of the meeting that was recorded

type: keyword
zoom.recording.topic: Topic of the meeting related to the recording

type: keyword
zoom.recording.type: Type of recording, can be multiple type of values, please check Zoom documentation

type: keyword
zoom.recording.start_time: The date and time when the recording started

type: date
zoom.recording.timezone: The timezone used for the recording date

type: keyword
zoom.recording.duration: Duration of the recording in minutes

type: long
zoom.recording.share_url: The URL to access the recording

type: keyword
zoom.recording.total_size: Total size of the recording in bytes

type: long
zoom.recording.recording_count: Number of recording files related to the recording

type: long
zoom.recording.recording_file.recording_start: The date and time the recording started

type: date
zoom.recording.recording_file.recording_end: The date and time the recording finished

type: date
zoom.recording.host_email: Email address of the host related to the meeting that was recorded

type: keyword
zoom.user.id: UserID related to the user event

type: keyword
zoom.user.first_name: User first name related to the user event

type: keyword
zoom.user.last_name: User last name related to the user event

type: keyword
zoom.user.email: User email related to the user event

type: keyword
zoom.user.type: User type related to the user event

type: keyword
zoom.user.phone_number: User phone number related to the user event

type: keyword
zoom.user.phone_country: User country code related to the user event

type: keyword
zoom.user.company: User company related to the user event

type: keyword
zoom.user.pmi: User personal meeting ID related to the user event

type: keyword
zoom.user.use_pmi: If a user has PMI enabled

type: boolean
zoom.user.pic_url: Full URL to the profile picture used by the user

type: keyword
zoom.user.vanity_name: Name of the personal meeting room related to the user event

type: keyword
zoom.user.timezone: Timezone configured for the user

type: keyword
zoom.user.language: Language configured for the user

type: keyword
zoom.user.host_key: Host key set for the user

type: keyword
zoom.user.role: The configured role for the user

type: keyword
zoom.user.dept: The configured departement for the user

type: keyword
zoom.user.presence_status: Current presence status of user

type: keyword
zoom.user.personal_notes: Personal notes for the User

type: keyword
zoom.user.client_type: Type of client used by the user. Can be browser, mac, win, iphone or android

type: keyword
zoom.user.version: Version of the client used by the user

type: keyword
zoom.webinar.id: Unique ID for the related webinar

type: keyword
zoom.webinar.join_url: The URL configured to join the webinar

type: keyword
zoom.webinar.uuid: UUID for the related webinar

type: keyword
zoom.webinar.host_id: UserID for the configured host of the webinar

type: keyword
zoom.webinar.topic: Meeting topic of the related webinar

type: keyword
zoom.webinar.type: Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time)

type: keyword
zoom.webinar.start_time: The date and time when the webinar started

type: date
zoom.webinar.timezone: Timezone used for the dates related to the webinar

type: keyword
zoom.webinar.duration: Duration of the webinar in minutes

type: long
zoom.webinar.agenda: The configured agenda of the webinar

type: keyword
zoom.webinar.password: Password configured to access the webinar

type: keyword
zoom.webinar.issues: Any reported issues about a webinar is reported in this field

type: keyword
zoom.zoomroom.id: Unique ID of the Zoom room

type: keyword
zoom.zoomroom.room_name: The configured name of the Zoom room

type: keyword
zoom.zoomroom.calendar_name: Calendar name of the Zoom room

type: keyword
zoom.zoomroom.calendar_id: Unique ID of the calendar used by the Zoom room

type: keyword
zoom.zoomroom.event_id: Unique ID of the calendar event associated with the Zoom Room

type: keyword
zoom.zoomroom.change_key: Key used by Microsoft products integration that represents a specific version of a calendar

type: keyword
zoom.zoomroom.resource_email: Email address associated with the calendar in use by the Zoom room

type: keyword
zoom.zoomroom.email: Email address associated with the Zoom room itself

type: keyword
zoom.zoomroom.issue: Any reported alerts or issues related to the Zoom room or its equipment

type: keyword
zoom.zoomroom.alert_type: An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation

type: keyword
zoom.zoomroom.component: An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation

type: keyword
zoom.zoomroom.alert_kind: An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared)

type: keyword
zoom.registrant.id: Unique ID of the user registering to a meeting or webinar

type: keyword
zoom.registrant.status: Status of the specific user registration

type: keyword
zoom.registrant.email: Email of the user registering to a meeting or webinar

type: keyword
zoom.registrant.first_name: First name of the user registering to a meeting or webinar

type: keyword
zoom.registrant.last_name: Last name of the user registering to a meeting or webinar

type: keyword
zoom.registrant.address: Address of the user registering to a meeting or webinar

type: keyword
zoom.registrant.city: City of the user registering to a meeting or webinar

type: keyword
zoom.registrant.country: Country of the user registering to a meeting or webinar

type: keyword
zoom.registrant.zip: Zip code of the user registering to a meeting or webinar

type: keyword
zoom.registrant.state: State of the user registering to a meeting or webinar

type: keyword
zoom.registrant.phone: Phone number of the user registering to a meeting or webinar

type: keyword
zoom.registrant.industry: Related industry of the user registering to a meeting or webinar

type: keyword
zoom.registrant.org: Organization related to the user registering to a meeting or webinar

type: keyword
zoom.registrant.job_title: Job title of the user registering to a meeting or webinar

type: keyword
zoom.registrant.purchasing_time_frame: Choosen purchase timeframe of the user registering to a meeting or webinar

type: keyword
zoom.registrant.role_in_purchase_process: Choosen role in a purchase process related to the user registering to a meeting or webinar

type: keyword
zoom.registrant.no_of_employees: Number of employees choosen by the user registering to a meeting or webinar

type: keyword
zoom.registrant.comments: Comments left by the user registering to a meeting or webinar

type: keyword
zoom.registrant.join_url: The URL that the registrant can use to join the webinar

type: keyword
zoom.participant.id: Unique ID of the participant related to a meeting

type: keyword
zoom.participant.user_id: UserID of the participant related to a meeting

type: keyword
zoom.participant.user_name: Username of the participant related to a meeting

type: keyword
zoom.participant.join_time: The date and time a participant joined a meeting

type: date
zoom.participant.leave_time: The date and time a participant left a meeting

type: date
zoom.participant.sharing_details.link_source: Method of sharing with dropbox integration

type: keyword
zoom.participant.sharing_details.content: Type of content that was shared

type: keyword
zoom.participant.sharing_details.file_link: The file link that was shared

type: keyword
zoom.participant.sharing_details.date_time: Timestamp the sharing started

type: keyword
zoom.participant.sharing_details.source: The file source that was share

type: keyword
zoom.old_values: Includes the old values when updating a object like user, meeting, account or webinar

type: flattened
zoom.settings: The current active settings related to a object like user, meeting, account or webinar

type: flattened

Zscaler NSS fields

zscaler fields.

network.interface.name: Name of the network interface where the traffic has been observed.

type: keyword
rsa.internal.msg: This key is used to capture the raw message that comes into the Log Decoder

type: keyword
rsa.internal.messageid: type: keyword
rsa.internal.event_desc: type: keyword
rsa.internal.message: This key captures the contents of instant messages

type: keyword
rsa.internal.time: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date
rsa.internal.level: Deprecated key defined only in table map.

type: long
rsa.internal.msg_id: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.msg_vid: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.data: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_server: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_val: Deprecated key defined only in table map.

type: keyword
rsa.internal.resource: Deprecated key defined only in table map.

type: keyword
rsa.internal.obj_id: Deprecated key defined only in table map.

type: keyword
rsa.internal.statement: Deprecated key defined only in table map.

type: keyword
rsa.internal.audit_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.entry: Deprecated key defined only in table map.

type: keyword
rsa.internal.hcode: Deprecated key defined only in table map.

type: keyword
rsa.internal.inode: Deprecated key defined only in table map.

type: long
rsa.internal.resource_class: Deprecated key defined only in table map.

type: keyword
rsa.internal.dead: Deprecated key defined only in table map.

type: long
rsa.internal.feed_desc: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.feed_name: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.cid: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_class: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_group: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_host: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_ip: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_ipv6: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.device_type: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.device_type_id: Deprecated key defined only in table map.

type: long
rsa.internal.did: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.entropy_req: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.entropy_res: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long
rsa.internal.event_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.feed_category: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.forward_ip: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip
rsa.internal.forward_ipv6: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip
rsa.internal.header_id: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_cid: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.lc_ctime: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date
rsa.internal.mcb_req: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcb_res: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long
rsa.internal.mcbc_req: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.mcbc_res: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long
rsa.internal.medium: This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long
rsa.internal.node_name: Deprecated key defined only in table map.

type: keyword
rsa.internal.nwe_callback_id: This key denotes that event is endpoint related

type: keyword
rsa.internal.parse_error: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.payload_req: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.payload_res: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long
rsa.internal.process_vid_dst: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword
rsa.internal.process_vid_src: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword
rsa.internal.rid: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.session_split: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.site: Deprecated key defined only in table map.

type: keyword
rsa.internal.size: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long
rsa.internal.sourcefile: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.internal.ubc_req: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.ubc_res: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long
rsa.internal.word: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword
rsa.time.event_time: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date
rsa.time.duration_time: This key is used to capture the normalized duration/lifetime in seconds.

type: double
rsa.time.event_time_str: This key is used to capture the incomplete time mentioned in a session as a string

type: keyword
rsa.time.starttime: This key is used to capture the Start time mentioned in a session in a standard form

type: date
rsa.time.month: type: keyword
rsa.time.day: type: keyword
rsa.time.endtime: This key is used to capture the End time mentioned in a session in a standard form

type: date
rsa.time.timezone: This key is used to capture the timezone of the Event Time

type: keyword
rsa.time.duration_str: A text string version of the duration

type: keyword
rsa.time.date: type: keyword
rsa.time.year: type: keyword
rsa.time.recorded_time: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date
rsa.time.datetime: type: keyword
rsa.time.effective_time: This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date
rsa.time.expire_time: This key is the timestamp that explicitly refers to an expiration.

type: date
rsa.time.process_time: Deprecated, use duration.time

type: keyword
rsa.time.hour: type: keyword
rsa.time.min: type: keyword
rsa.time.timestamp: type: keyword
rsa.time.event_queue_time: This key is the Time that the event was queued.

type: date
rsa.time.p_time1: type: keyword
rsa.time.tzone: type: keyword
rsa.time.eventtime: type: keyword
rsa.time.gmtdate: type: keyword
rsa.time.gmttime: type: keyword
rsa.time.p_date: type: keyword
rsa.time.p_month: type: keyword
rsa.time.p_time: type: keyword
rsa.time.p_time2: type: keyword
rsa.time.p_year: type: keyword
rsa.time.expire_time_str: This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword
rsa.time.stamp: Deprecated key defined only in table map.

type: date
rsa.misc.action: type: keyword
rsa.misc.result: This key is used to capture the outcome/result string value of an action in a session.

type: keyword
rsa.misc.severity: This key is used to capture the severity given the session

type: keyword
rsa.misc.event_type: This key captures the event category type as specified by the event source.

type: keyword
rsa.misc.reference_id: This key is used to capture an event id from the session directly

type: keyword
rsa.misc.version: This key captures Version of the application or OS which is generating the event.

type: keyword
rsa.misc.disposition: This key captures the The end state of an action.

type: keyword
rsa.misc.result_code: This key is used to capture the outcome/result numeric value of an action in a session

type: keyword
rsa.misc.category: This key is used to capture the category of an event given by the vendor in the session

type: keyword
rsa.misc.obj_name: This is used to capture name of object

type: keyword
rsa.misc.obj_type: This is used to capture type of object

type: keyword
rsa.misc.event_source: This key captures Source of the event that’s not a hostname

type: keyword
rsa.misc.log_session_id: This key is used to capture a sessionid from the session directly

type: keyword
rsa.misc.group: This key captures the Group Name value

type: keyword
rsa.misc.policy_name: This key is used to capture the Policy Name only.

type: keyword
rsa.misc.rule_name: This key captures the Rule Name

type: keyword
rsa.misc.context: This key captures Information which adds additional context to the event.

type: keyword
rsa.misc.change_new: This key is used to capture the new values of the attribute that’s changing in a session

type: keyword
rsa.misc.space: type: keyword
rsa.misc.client: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword
rsa.misc.msgIdPart1: type: keyword
rsa.misc.msgIdPart2: type: keyword
rsa.misc.change_old: This key is used to capture the old value of the attribute that’s changing in a session

type: keyword
rsa.misc.operation_id: An alert number or operation number. The values should be unique and non-repeating.

type: keyword
rsa.misc.event_state: This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword
rsa.misc.group_object: This key captures a collection/grouping of entities. Specific usage

type: keyword
rsa.misc.node: Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword
rsa.misc.rule: This key captures the Rule number

type: keyword
rsa.misc.device_name: This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword
rsa.misc.param: This key is the parameters passed as part of a command or application, etc.

type: keyword
rsa.misc.change_attrib: This key is used to capture the name of the attribute that’s changing in a session

type: keyword
rsa.misc.event_computer: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword
rsa.misc.reference_id1: This key is for Linked ID to be used as an addition to "reference.id"

type: keyword
rsa.misc.event_log: This key captures the Name of the event log

type: keyword
rsa.misc.OS: This key captures the Name of the Operating System

type: keyword
rsa.misc.terminal: This key captures the Terminal Names only

type: keyword
rsa.misc.msgIdPart3: type: keyword
rsa.misc.filter: This key captures Filter used to reduce result set

type: keyword
rsa.misc.serial_number: This key is the Serial number associated with a physical asset.

type: keyword
rsa.misc.checksum: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword
rsa.misc.event_user: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword
rsa.misc.virusname: This key captures the name of the virus

type: keyword
rsa.misc.content_type: This key is used to capture Content Type only.

type: keyword
rsa.misc.group_id: This key captures Group ID Number (related to the group name)

type: keyword
rsa.misc.policy_id: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword
rsa.misc.vsys: This key captures Virtual System Name

type: keyword
rsa.misc.connection_id: This key captures the Connection ID

type: keyword
rsa.misc.reference_id2: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword
rsa.misc.sensor: This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword
rsa.misc.sig_id: This key captures IDS/IPS Int Signature ID

type: long
rsa.misc.port_name: This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword
rsa.misc.rule_group: This key captures the Rule group name

type: keyword
rsa.misc.risk_num: This key captures a Numeric Risk value

type: double
rsa.misc.trigger_val: This key captures the Value of the trigger or threshold condition.

type: keyword
rsa.misc.log_session_id1: This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword
rsa.misc.comp_version: This key captures the Version level of a sub-component of a product.

type: keyword
rsa.misc.content_version: This key captures Version level of a signature or database content.

type: keyword
rsa.misc.hardware_id: This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword
rsa.misc.risk: This key captures the non-numeric risk value

type: keyword
rsa.misc.event_id: type: keyword
rsa.misc.reason: type: keyword
rsa.misc.status: type: keyword
rsa.misc.mail_id: This key is used to capture the mailbox id/name

type: keyword
rsa.misc.rule_uid: This key is the Unique Identifier for a rule.

type: keyword
rsa.misc.trigger_desc: This key captures the Description of the trigger or threshold condition.

type: keyword
rsa.misc.inout: type: keyword
rsa.misc.p_msgid: type: keyword
rsa.misc.data_type: type: keyword
rsa.misc.msgIdPart4: type: keyword
rsa.misc.error: This key captures All non successful Error codes or responses

type: keyword
rsa.misc.index: type: keyword
rsa.misc.listnum: This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword
rsa.misc.ntype: type: keyword
rsa.misc.observed_val: This key captures the Value observed (from the perspective of the device generating the log).

type: keyword
rsa.misc.policy_value: This key captures the contents of the policy. This contains details about the policy

type: keyword
rsa.misc.pool_name: This key captures the name of a resource pool

type: keyword
rsa.misc.rule_template: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword
rsa.misc.count: type: keyword
rsa.misc.number: type: keyword
rsa.misc.sigcat: type: keyword
rsa.misc.type: type: keyword
rsa.misc.comments: Comment information provided in the log message

type: keyword
rsa.misc.doc_number: This key captures File Identification number

type: long
rsa.misc.expected_val: This key captures the Value expected (from the perspective of the device generating the log).

type: keyword
rsa.misc.job_num: This key captures the Job Number

type: keyword
rsa.misc.spi_dst: Destination SPI Index

type: keyword
rsa.misc.spi_src: Source SPI Index

type: keyword
rsa.misc.code: type: keyword
rsa.misc.agent_id: This key is used to capture agent id

type: keyword
rsa.misc.message_body: This key captures the The contents of the message body.

type: keyword
rsa.misc.phone: type: keyword
rsa.misc.sig_id_str: This key captures a string object of the sigid variable.

type: keyword
rsa.misc.cmd: type: keyword
rsa.misc.misc: type: keyword
rsa.misc.name: type: keyword
rsa.misc.cpu: This key is the CPU time used in the execution of the event being recorded.

type: long
rsa.misc.event_desc: This key is used to capture a description of an event available directly or inferred

type: keyword
rsa.misc.sig_id1: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long
rsa.misc.im_buddyid: type: keyword
rsa.misc.im_client: type: keyword
rsa.misc.im_userid: type: keyword
rsa.misc.pid: type: keyword
rsa.misc.priority: type: keyword
rsa.misc.context_subject: This key is to be used in an audit context where the subject is the object being identified

type: keyword
rsa.misc.context_target: type: keyword
rsa.misc.cve: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword
rsa.misc.fcatnum: This key captures Filter Category Number. Legacy Usage

type: keyword
rsa.misc.library: This key is used to capture library information in mainframe devices

type: keyword
rsa.misc.parent_node: This key captures the Parent Node Name. Must be related to node variable.

type: keyword
rsa.misc.risk_info: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.tcp_flags: This key is captures the TCP flags set in any packet of session

type: long
rsa.misc.tos: This key describes the type of service

type: long
rsa.misc.vm_target: VMWare Target VMWARE only varaible.

type: keyword
rsa.misc.workspace: This key captures Workspace Description

type: keyword
rsa.misc.command: type: keyword
rsa.misc.event_category: type: keyword
rsa.misc.facilityname: type: keyword
rsa.misc.forensic_info: type: keyword
rsa.misc.jobname: type: keyword
rsa.misc.mode: type: keyword
rsa.misc.policy: type: keyword
rsa.misc.policy_waiver: type: keyword
rsa.misc.second: type: keyword
rsa.misc.space1: type: keyword
rsa.misc.subcategory: type: keyword
rsa.misc.tbdstr2: type: keyword
rsa.misc.alert_id: Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.checksum_dst: This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword
rsa.misc.checksum_src: This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword
rsa.misc.fresult: This key captures the Filter Result

type: long
rsa.misc.payload_dst: This key is used to capture destination payload

type: keyword
rsa.misc.payload_src: This key is used to capture source payload

type: keyword
rsa.misc.pool_id: This key captures the identifier (typically numeric field) of a resource pool

type: keyword
rsa.misc.process_id_val: This key is a failure key for Process ID when it is not an integer value

type: keyword
rsa.misc.risk_num_comm: This key captures Risk Number Community

type: double
rsa.misc.risk_num_next: This key captures Risk Number NextGen

type: double
rsa.misc.risk_num_sand: This key captures Risk Number SandBox

type: double
rsa.misc.risk_num_static: This key captures Risk Number Static

type: double
rsa.misc.risk_suspicious: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.risk_warning: Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword
rsa.misc.snmp_oid: SNMP Object Identifier

type: keyword
rsa.misc.sql: This key captures the SQL query

type: keyword
rsa.misc.vuln_ref: This key captures the Vulnerability Reference details

type: keyword
rsa.misc.acl_id: type: keyword
rsa.misc.acl_op: type: keyword
rsa.misc.acl_pos: type: keyword
rsa.misc.acl_table: type: keyword
rsa.misc.admin: type: keyword
rsa.misc.alarm_id: type: keyword
rsa.misc.alarmname: type: keyword
rsa.misc.app_id: type: keyword
rsa.misc.audit: type: keyword
rsa.misc.audit_object: type: keyword
rsa.misc.auditdata: type: keyword
rsa.misc.benchmark: type: keyword
rsa.misc.bypass: type: keyword
rsa.misc.cache: type: keyword
rsa.misc.cache_hit: type: keyword
rsa.misc.cefversion: type: keyword
rsa.misc.cfg_attr: type: keyword
rsa.misc.cfg_obj: type: keyword
rsa.misc.cfg_path: type: keyword
rsa.misc.changes: type: keyword
rsa.misc.client_ip: type: keyword
rsa.misc.clustermembers: type: keyword
rsa.misc.cn_acttimeout: type: keyword
rsa.misc.cn_asn_src: type: keyword
rsa.misc.cn_bgpv4nxthop: type: keyword
rsa.misc.cn_ctr_dst_code: type: keyword
rsa.misc.cn_dst_tos: type: keyword
rsa.misc.cn_dst_vlan: type: keyword
rsa.misc.cn_engine_id: type: keyword
rsa.misc.cn_engine_type: type: keyword
rsa.misc.cn_f_switch: type: keyword
rsa.misc.cn_flowsampid: type: keyword
rsa.misc.cn_flowsampintv: type: keyword
rsa.misc.cn_flowsampmode: type: keyword
rsa.misc.cn_inacttimeout: type: keyword
rsa.misc.cn_inpermbyts: type: keyword
rsa.misc.cn_inpermpckts: type: keyword
rsa.misc.cn_invalid: type: keyword
rsa.misc.cn_ip_proto_ver: type: keyword
rsa.misc.cn_ipv4_ident: type: keyword
rsa.misc.cn_l_switch: type: keyword
rsa.misc.cn_log_did: type: keyword
rsa.misc.cn_log_rid: type: keyword
rsa.misc.cn_max_ttl: type: keyword
rsa.misc.cn_maxpcktlen: type: keyword
rsa.misc.cn_min_ttl: type: keyword
rsa.misc.cn_minpcktlen: type: keyword
rsa.misc.cn_mpls_lbl_1: type: keyword
rsa.misc.cn_mpls_lbl_10: type: keyword
rsa.misc.cn_mpls_lbl_2: type: keyword
rsa.misc.cn_mpls_lbl_3: type: keyword
rsa.misc.cn_mpls_lbl_4: type: keyword
rsa.misc.cn_mpls_lbl_5: type: keyword
rsa.misc.cn_mpls_lbl_6: type: keyword
rsa.misc.cn_mpls_lbl_7: type: keyword
rsa.misc.cn_mpls_lbl_8: type: keyword
rsa.misc.cn_mpls_lbl_9: type: keyword
rsa.misc.cn_mplstoplabel: type: keyword
rsa.misc.cn_mplstoplabip: type: keyword
rsa.misc.cn_mul_dst_byt: type: keyword
rsa.misc.cn_mul_dst_pks: type: keyword
rsa.misc.cn_muligmptype: type: keyword
rsa.misc.cn_sampalgo: type: keyword
rsa.misc.cn_sampint: type: keyword
rsa.misc.cn_seqctr: type: keyword
rsa.misc.cn_spackets: type: keyword
rsa.misc.cn_src_tos: type: keyword
rsa.misc.cn_src_vlan: type: keyword
rsa.misc.cn_sysuptime: type: keyword
rsa.misc.cn_template_id: type: keyword
rsa.misc.cn_totbytsexp: type: keyword
rsa.misc.cn_totflowexp: type: keyword
rsa.misc.cn_totpcktsexp: type: keyword
rsa.misc.cn_unixnanosecs: type: keyword
rsa.misc.cn_v6flowlabel: type: keyword
rsa.misc.cn_v6optheaders: type: keyword
rsa.misc.comp_class: type: keyword
rsa.misc.comp_name: type: keyword
rsa.misc.comp_rbytes: type: keyword
rsa.misc.comp_sbytes: type: keyword
rsa.misc.cpu_data: type: keyword
rsa.misc.criticality: type: keyword
rsa.misc.cs_agency_dst: type: keyword
rsa.misc.cs_analyzedby: type: keyword
rsa.misc.cs_av_other: type: keyword
rsa.misc.cs_av_primary: type: keyword
rsa.misc.cs_av_secondary: type: keyword
rsa.misc.cs_bgpv6nxthop: type: keyword
rsa.misc.cs_bit9status: type: keyword
rsa.misc.cs_context: type: keyword
rsa.misc.cs_control: type: keyword
rsa.misc.cs_data: type: keyword
rsa.misc.cs_datecret: type: keyword
rsa.misc.cs_dst_tld: type: keyword
rsa.misc.cs_eth_dst_ven: type: keyword
rsa.misc.cs_eth_src_ven: type: keyword
rsa.misc.cs_event_uuid: type: keyword
rsa.misc.cs_filetype: type: keyword
rsa.misc.cs_fld: type: keyword
rsa.misc.cs_if_desc: type: keyword
rsa.misc.cs_if_name: type: keyword
rsa.misc.cs_ip_next_hop: type: keyword
rsa.misc.cs_ipv4dstpre: type: keyword
rsa.misc.cs_ipv4srcpre: type: keyword
rsa.misc.cs_lifetime: type: keyword
rsa.misc.cs_log_medium: type: keyword
rsa.misc.cs_loginname: type: keyword
rsa.misc.cs_modulescore: type: keyword
rsa.misc.cs_modulesign: type: keyword
rsa.misc.cs_opswatresult: type: keyword
rsa.misc.cs_payload: type: keyword
rsa.misc.cs_registrant: type: keyword
rsa.misc.cs_registrar: type: keyword
rsa.misc.cs_represult: type: keyword
rsa.misc.cs_rpayload: type: keyword
rsa.misc.cs_sampler_name: type: keyword
rsa.misc.cs_sourcemodule: type: keyword
rsa.misc.cs_streams: type: keyword
rsa.misc.cs_targetmodule: type: keyword
rsa.misc.cs_v6nxthop: type: keyword
rsa.misc.cs_whois_server: type: keyword
rsa.misc.cs_yararesult: type: keyword
rsa.misc.description: type: keyword
rsa.misc.devvendor: type: keyword
rsa.misc.distance: type: keyword
rsa.misc.dstburb: type: keyword
rsa.misc.edomain: type: keyword
rsa.misc.edomaub: type: keyword
rsa.misc.euid: type: keyword
rsa.misc.facility: type: keyword
rsa.misc.finterface: type: keyword
rsa.misc.flags: type: keyword
rsa.misc.gaddr: type: keyword
rsa.misc.id3: type: keyword
rsa.misc.im_buddyname: type: keyword
rsa.misc.im_croomid: type: keyword
rsa.misc.im_croomtype: type: keyword
rsa.misc.im_members: type: keyword
rsa.misc.im_username: type: keyword
rsa.misc.ipkt: type: keyword
rsa.misc.ipscat: type: keyword
rsa.misc.ipspri: type: keyword
rsa.misc.latitude: type: keyword
rsa.misc.linenum: type: keyword
rsa.misc.list_name: type: keyword
rsa.misc.load_data: type: keyword
rsa.misc.location_floor: type: keyword
rsa.misc.location_mark: type: keyword
rsa.misc.log_id: type: keyword
rsa.misc.log_type: type: keyword
rsa.misc.logid: type: keyword
rsa.misc.logip: type: keyword
rsa.misc.logname: type: keyword
rsa.misc.longitude: type: keyword
rsa.misc.lport: type: keyword
rsa.misc.mbug_data: type: keyword
rsa.misc.misc_name: type: keyword
rsa.misc.msg_type: type: keyword
rsa.misc.msgid: type: keyword
rsa.misc.netsessid: type: keyword
rsa.misc.num: type: keyword
rsa.misc.number1: type: keyword
rsa.misc.number2: type: keyword
rsa.misc.nwwn: type: keyword
rsa.misc.object: type: keyword
rsa.misc.operation: type: keyword
rsa.misc.opkt: type: keyword
rsa.misc.orig_from: type: keyword
rsa.misc.owner_id: type: keyword
rsa.misc.p_action: type: keyword
rsa.misc.p_filter: type: keyword
rsa.misc.p_group_object: type: keyword
rsa.misc.p_id: type: keyword
rsa.misc.p_msgid1: type: keyword
rsa.misc.p_msgid2: type: keyword
rsa.misc.p_result1: type: keyword
rsa.misc.password_chg: type: keyword
rsa.misc.password_expire: type: keyword
rsa.misc.permgranted: type: keyword
rsa.misc.permwanted: type: keyword
rsa.misc.pgid: type: keyword
rsa.misc.policyUUID: type: keyword
rsa.misc.prog_asp_num: type: keyword
rsa.misc.program: type: keyword
rsa.misc.real_data: type: keyword
rsa.misc.rec_asp_device: type: keyword
rsa.misc.rec_asp_num: type: keyword
rsa.misc.rec_library: type: keyword
rsa.misc.recordnum: type: keyword
rsa.misc.ruid: type: keyword
rsa.misc.sburb: type: keyword
rsa.misc.sdomain_fld: type: keyword
rsa.misc.sec: type: keyword
rsa.misc.sensorname: type: keyword
rsa.misc.seqnum: type: keyword
rsa.misc.session: type: keyword
rsa.misc.sessiontype: type: keyword
rsa.misc.sigUUID: type: keyword
rsa.misc.spi: type: keyword
rsa.misc.srcburb: type: keyword
rsa.misc.srcdom: type: keyword
rsa.misc.srcservice: type: keyword
rsa.misc.state: type: keyword
rsa.misc.status1: type: keyword
rsa.misc.svcno: type: keyword
rsa.misc.system: type: keyword
rsa.misc.tbdstr1: type: keyword
rsa.misc.tgtdom: type: keyword
rsa.misc.tgtdomain: type: keyword
rsa.misc.threshold: type: keyword
rsa.misc.type1: type: keyword
rsa.misc.udb_class: type: keyword
rsa.misc.url_fld: type: keyword
rsa.misc.user_div: type: keyword
rsa.misc.userid: type: keyword
rsa.misc.username_fld: type: keyword
rsa.misc.utcstamp: type: keyword
rsa.misc.v_instafname: type: keyword
rsa.misc.virt_data: type: keyword
rsa.misc.vpnid: type: keyword
rsa.misc.autorun_type: This is used to capture Auto Run type

type: keyword
rsa.misc.cc_number: Valid Credit Card Numbers only

type: long
rsa.misc.content: This key captures the content type from protocol headers

type: keyword
rsa.misc.ein_number: Employee Identification Numbers only

type: long
rsa.misc.found: This is used to capture the results of regex match

type: keyword
rsa.misc.language: This is used to capture list of languages the client support and what it prefers

type: keyword
rsa.misc.lifetime: This key is used to capture the session lifetime in seconds.

type: long
rsa.misc.link: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword
rsa.misc.match: This key is for regex match name from search.ini

type: keyword
rsa.misc.param_dst: This key captures the command line/launch argument of the target process or file

type: keyword
rsa.misc.param_src: This key captures source parameter

type: keyword
rsa.misc.search_text: This key captures the Search Text used

type: keyword
rsa.misc.sig_name: This key is used to capture the Signature Name only.

type: keyword
rsa.misc.snmp_value: SNMP set request value

type: keyword
rsa.misc.streams: This key captures number of streams in session

type: long
rsa.db.index: This key captures IndexID of the index.

type: keyword
rsa.db.instance: This key is used to capture the database server instance name

type: keyword
rsa.db.database: This key is used to capture the name of a database or an instance as seen in a session

type: keyword
rsa.db.transact_id: This key captures the SQL transantion ID of the current session

type: keyword
rsa.db.permissions: This key captures permission or privilege level assigned to a resource.

type: keyword
rsa.db.table_name: This key is used to capture the table name

type: keyword
rsa.db.db_id: This key is used to capture the unique identifier for a database

type: keyword
rsa.db.db_pid: This key captures the process id of a connection with database server

type: long
rsa.db.lread: This key is used for the number of logical reads

type: long
rsa.db.lwrite: This key is used for the number of logical writes

type: long
rsa.db.pread: This key is used for the number of physical writes

type: long
rsa.network.alias_host: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword
rsa.network.domain: type: keyword
rsa.network.host_dst: This key should only be used when it’s a Destination Hostname

type: keyword
rsa.network.network_service: This is used to capture layer 7 protocols/service names

type: keyword
rsa.network.interface: This key should be used when the source or destination context of an interface is not clear

type: keyword
rsa.network.network_port: Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long
rsa.network.eth_host: Deprecated, use alias.mac

type: keyword
rsa.network.sinterface: This key should only be used when it’s a Source Interface

type: keyword
rsa.network.dinterface: This key should only be used when it’s a Destination Interface

type: keyword
rsa.network.vlan: This key should only be used to capture the ID of the Virtual LAN

type: long
rsa.network.zone_src: This key should only be used when it’s a Source Zone.

type: keyword
rsa.network.zone: This key should be used when the source or destination context of a Zone is not clear

type: keyword
rsa.network.zone_dst: This key should only be used when it’s a Destination Zone.

type: keyword
rsa.network.gateway: This key is used to capture the IP Address of the gateway

type: keyword
rsa.network.icmp_type: This key is used to capture the ICMP type only

type: long
rsa.network.mask: This key is used to capture the device network IPmask.

type: keyword
rsa.network.icmp_code: This key is used to capture the ICMP code only

type: long
rsa.network.protocol_detail: This key should be used to capture additional protocol information

type: keyword
rsa.network.dmask: This key is used for Destionation Device network mask

type: keyword
rsa.network.port: This key should only be used to capture a Network Port when the directionality is not clear

type: long
rsa.network.smask: This key is used for capturing source Network Mask

type: keyword
rsa.network.netname: This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword
rsa.network.paddr: Deprecated

type: ip
rsa.network.faddr: type: keyword
rsa.network.lhost: type: keyword
rsa.network.origin: type: keyword
rsa.network.remote_domain_id: type: keyword
rsa.network.addr: type: keyword
rsa.network.dns_a_record: type: keyword
rsa.network.dns_ptr_record: type: keyword
rsa.network.fhost: type: keyword
rsa.network.fport: type: keyword
rsa.network.laddr: type: keyword
rsa.network.linterface: type: keyword
rsa.network.phost: type: keyword
rsa.network.ad_computer_dst: Deprecated, use host.dst

type: keyword
rsa.network.eth_type: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long
rsa.network.ip_proto: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long
rsa.network.dns_cname_record: type: keyword
rsa.network.dns_id: type: keyword
rsa.network.dns_opcode: type: keyword
rsa.network.dns_resp: type: keyword
rsa.network.dns_type: type: keyword
rsa.network.domain1: type: keyword
rsa.network.host_type: type: keyword
rsa.network.packet_length: type: keyword
rsa.network.host_orig: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword
rsa.network.rpayload: This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword
rsa.network.vlan_name: This key should only be used to capture the name of the Virtual LAN

type: keyword
rsa.investigations.ec_activity: This key captures the particular event activity(Ex:Logoff)

type: keyword
rsa.investigations.ec_theme: This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword
rsa.investigations.ec_subject: This key captures the Subject of a particular Event(Ex:User)

type: keyword
rsa.investigations.ec_outcome: This key captures the outcome of a particular Event(Ex:Success)

type: keyword
rsa.investigations.event_cat: This key captures the Event category number

type: long
rsa.investigations.event_cat_name: This key captures the event category name corresponding to the event cat code

type: keyword
rsa.investigations.event_vcat: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword
rsa.investigations.analysis_file: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword
rsa.investigations.analysis_service: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword
rsa.investigations.analysis_session: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword
rsa.investigations.boc: This is used to capture behaviour of compromise

type: keyword
rsa.investigations.eoc: This is used to capture Enablers of Compromise

type: keyword
rsa.investigations.inv_category: This used to capture investigation category

type: keyword
rsa.investigations.inv_context: This used to capture investigation context

type: keyword
rsa.investigations.ioc: This is key capture indicator of compromise

type: keyword
rsa.counters.dclass_c1: This is a generic counter key that should be used with the label dclass.c1.str only

type: long
rsa.counters.dclass_c2: This is a generic counter key that should be used with the label dclass.c2.str only

type: long
rsa.counters.event_counter: This is used to capture the number of times an event repeated

type: long
rsa.counters.dclass_r1: This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword
rsa.counters.dclass_c3: This is a generic counter key that should be used with the label dclass.c3.str only

type: long
rsa.counters.dclass_c1_str: This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword
rsa.counters.dclass_c2_str: This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword
rsa.counters.dclass_r1_str: This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword
rsa.counters.dclass_r2: This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword
rsa.counters.dclass_c3_str: This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword
rsa.counters.dclass_r3: This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword
rsa.counters.dclass_r2_str: This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword
rsa.counters.dclass_r3_str: This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword
rsa.identity.auth_method: This key is used to capture authentication methods used only

type: keyword
rsa.identity.user_role: This key is used to capture the Role of a user only

type: keyword
rsa.identity.dn: X.500 (LDAP) Distinguished Name

type: keyword
rsa.identity.logon_type: This key is used to capture the type of logon method used.

type: keyword
rsa.identity.profile: This key is used to capture the user profile

type: keyword
rsa.identity.accesses: This key is used to capture actual privileges used in accessing an object

type: keyword
rsa.identity.realm: Radius realm or similar grouping of accounts

type: keyword
rsa.identity.user_sid_dst: This key captures Destination User Session ID

type: keyword
rsa.identity.dn_src: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword
rsa.identity.org: This key captures the User organization

type: keyword
rsa.identity.dn_dst: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword
rsa.identity.firstname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.lastname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.user_dept: User’s Department Names only

type: keyword
rsa.identity.user_sid_src: This key captures Source User Session ID

type: keyword
rsa.identity.federated_sp: This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword
rsa.identity.federated_idp: This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword
rsa.identity.logon_type_desc: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.

type: keyword
rsa.identity.middlename: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.identity.password: This key is for Passwords seen in any session, plain text or encrypted

type: keyword
rsa.identity.host_role: This key should only be used to capture the role of a Host Machine

type: keyword
rsa.identity.ldap: This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword
rsa.identity.ldap_query: This key is the Search criteria from an LDAP search

type: keyword
rsa.identity.ldap_response: This key is to capture Results from an LDAP search

type: keyword
rsa.identity.owner: This is used to capture username the process or service is running as, the author of the task

type: keyword
rsa.identity.service_account: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword
rsa.email.email_dst: This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword
rsa.email.email_src: This key is used to capture the source email address only, when the source context is not clear use email

type: keyword
rsa.email.subject: This key is used to capture the subject string from an Email only.

type: keyword
rsa.email.email: This key is used to capture a generic email address where the source or destination context is not clear

type: keyword
rsa.email.trans_from: Deprecated key defined only in table map.

type: keyword
rsa.email.trans_to: Deprecated key defined only in table map.

type: keyword
rsa.file.privilege: Deprecated, use permissions

type: keyword
rsa.file.attachment: This key captures the attachment file name

type: keyword
rsa.file.filesystem: type: keyword
rsa.file.binary: Deprecated key defined only in table map.

type: keyword
rsa.file.filename_dst: This is used to capture name of the file targeted by the action

type: keyword
rsa.file.filename_src: This is used to capture name of the parent filename, the file which performed the action

type: keyword
rsa.file.filename_tmp: type: keyword
rsa.file.directory_dst: This key is used to capture the directory of the target process or file

type: keyword
rsa.file.directory_src: This key is used to capture the directory of the source process or file

type: keyword
rsa.file.file_entropy: This is used to capture entropy vale of a file

type: double
rsa.file.file_vendor: This is used to capture Company name of file located in version_info

type: keyword
rsa.file.task_name: This is used to capture name of the task

type: keyword
rsa.web.fqdn: Fully Qualified Domain Names

type: keyword
rsa.web.web_cookie: This key is used to capture the Web cookies specifically.

type: keyword
rsa.web.alias_host: type: keyword
rsa.web.reputation_num: Reputation Number of an entity. Typically used for Web Domains

type: double
rsa.web.web_ref_domain: Web referer’s domain

type: keyword
rsa.web.web_ref_query: This key captures Web referer’s query portion of the URL

type: keyword
rsa.web.remote_domain: type: keyword
rsa.web.web_ref_page: This key captures Web referer’s page information

type: keyword
rsa.web.web_ref_root: Web referer’s root URL path

type: keyword
rsa.web.cn_asn_dst: type: keyword
rsa.web.cn_rpackets: type: keyword
rsa.web.urlpage: type: keyword
rsa.web.urlroot: type: keyword
rsa.web.p_url: type: keyword
rsa.web.p_user_agent: type: keyword
rsa.web.p_web_cookie: type: keyword
rsa.web.p_web_method: type: keyword
rsa.web.p_web_referer: type: keyword
rsa.web.web_extension_tmp: type: keyword
rsa.web.web_page: type: keyword
rsa.threat.threat_category: This key captures Threat Name/Threat Category/Categorization of alert

type: keyword
rsa.threat.threat_desc: This key is used to capture the threat description from the session directly or inferred

type: keyword
rsa.threat.alert: This key is used to capture name of the alert

type: keyword
rsa.threat.threat_source: This key is used to capture source of the threat

type: keyword
rsa.crypto.crypto: This key is used to capture the Encryption Type or Encryption Key only

type: keyword
rsa.crypto.cipher_src: This key is for Source (Client) Cipher

type: keyword
rsa.crypto.cert_subject: This key is used to capture the Certificate organization only

type: keyword
rsa.crypto.peer: This key is for Encryption peer’s IP Address

type: keyword
rsa.crypto.cipher_size_src: This key captures Source (Client) Cipher Size

type: long
rsa.crypto.ike: IKE negotiation phase.

type: keyword
rsa.crypto.scheme: This key captures the Encryption scheme used

type: keyword
rsa.crypto.peer_id: This key is for Encryption peer’s identity

type: keyword
rsa.crypto.sig_type: This key captures the Signature Type

type: keyword
rsa.crypto.cert_issuer: type: keyword
rsa.crypto.cert_host_name: Deprecated key defined only in table map.

type: keyword
rsa.crypto.cert_error: This key captures the Certificate Error String

type: keyword
rsa.crypto.cipher_dst: This key is for Destination (Server) Cipher

type: keyword
rsa.crypto.cipher_size_dst: This key captures Destination (Server) Cipher Size

type: long
rsa.crypto.ssl_ver_src: Deprecated, use version

type: keyword
rsa.crypto.d_certauth: type: keyword
rsa.crypto.s_certauth: type: keyword
rsa.crypto.ike_cookie1: ID of the negotiation — sent for ISAKMP Phase One

type: keyword
rsa.crypto.ike_cookie2: ID of the negotiation — sent for ISAKMP Phase Two

type: keyword
rsa.crypto.cert_checksum: type: keyword
rsa.crypto.cert_host_cat: This key is used for the hostname category value of a certificate

type: keyword
rsa.crypto.cert_serial: This key is used to capture the Certificate serial number only

type: keyword
rsa.crypto.cert_status: This key captures Certificate validation status

type: keyword
rsa.crypto.ssl_ver_dst: Deprecated, use version

type: keyword
rsa.crypto.cert_keysize: type: keyword
rsa.crypto.cert_username: type: keyword
rsa.crypto.https_insact: type: keyword
rsa.crypto.https_valid: type: keyword
rsa.crypto.cert_ca: This key is used to capture the Certificate signing authority only

type: keyword
rsa.crypto.cert_common: This key is used to capture the Certificate common name only

type: keyword
rsa.wireless.wlan_ssid: This key is used to capture the ssid of a Wireless Session

type: keyword
rsa.wireless.access_point: This key is used to capture the access point name.

type: keyword
rsa.wireless.wlan_channel: This is used to capture the channel names

type: long
rsa.wireless.wlan_name: This key captures either WLAN number/name

type: keyword
rsa.storage.disk_volume: A unique name assigned to logical units (volumes) within a physical disk

type: keyword
rsa.storage.lun: Logical Unit Number.This key is a very useful concept in Storage.

type: keyword
rsa.storage.pwwn: This uniquely identifies a port on a HBA.

type: keyword
rsa.physical.org_dst: This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword
rsa.physical.org_src: This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword
rsa.healthcare.patient_fname: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_id: This key captures the unique ID for a patient

type: keyword
rsa.healthcare.patient_lname: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.healthcare.patient_mname: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword
rsa.endpoint.host_state: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on

type: keyword
rsa.endpoint.registry_key: This key captures the path to the registry key

type: keyword
rsa.endpoint.registry_value: This key captures values or decorators used within a registry entry

type: keyword

Unresolved directive in README.adoc - include::/github/workspace/../../libbeat/docs/monitoring/monitoring-beats.asciidoc[]

Unresolved directive in README.adoc - include::/github/workspace/../../libbeat/docs/shared-securing-beat.asciidoc[]

Troubleshoot

Get help

Unresolved directive in troubleshooting.asciidoc - include::/github/workspace/../../libbeat/docs/getting-help.asciidoc[]

Debug

Unresolved directive in troubleshooting.asciidoc - include::/github/workspace/../../libbeat/docs/debugging.asciidoc[]

Understand metrics in Filebeat logs

Understand logged metrics

Unresolved directive in troubleshooting.asciidoc - include::/github/workspace/../../libbeat/docs/metrics-in-logs.asciidoc[]

Common problems

This section describes common problems you might encounter with Filebeat. Also check out the Filebeat discussion forum.

Error extracting container id while using Kubernetes metadata

The add_kubernetes_metadata processor might throw the error Error extracting container id - source value does not contain matcher’s logs_path. There might be some issues with the matchers definitions or the location of logs_path. Please verify the Kubernetes pod is healthy.

Can’t read log files from network volumes

We do not recommend reading log files from network volumes. Whenever possible, install Filebeat on the host machine and send the log files directly from there. Reading files from network volumes (especially on Windows) can have unexpected side effects. For example, changed file identifiers may result in Filebeat reading a log file from scratch again.

Filebeat isn’t collecting lines from a file

Filebeat might be incorrectly configured or unable to send events to the output. To resolve the issue:

If using modules, make sure the var.paths setting points to the file. If configuring an input manually, make sure the paths setting is correct.
Verify that the file is not older than the value specified by ignore_older. ignore_older is disable by default so this depends on the value you have set. You can change this behavior by specifying a different value for ignore_older.
Make sure that Filebeat is able to send events to the configured output. Run Filebeat in debug mode to determine whether it’s publishing events successfully:
```
./filebeat -c config.yml -e -d "*"
```

Too many open file handlers

Filebeat keeps the file handler open in case it reaches the end of a file so that it can read new log lines in near real time. If Filebeat is harvesting a large number of files, the number of open files can become an issue. In most environments, the number of files that are actively updated is low. The close_inactive configuration option should be set accordingly to close files that are no longer active.

There are additional configuration options that you can use to close file handlers, but all of them should be used carefully because they can have side effects. The options are:

close_renamed
close_removed
close_eof
close_timeout
harvester_limit

The close_renamed and close_removed options can be useful on Windows to resolve issues related to file rotation. See Open file handlers cause issues with Windows file rotation. The close_eof option can be useful in environments with a large number of files that have only very few entries. The close_timeout option is useful in environments where closing file handlers is more important than sending all log lines. For more details, see Configure inputs.

Make sure that you read the documentation for these configuration options before using any of them.

Registry file is too large

Filebeat keeps the state of each file and persists the state to disk in the registry file. The file state is used to continue file reading at a previous position when Filebeat is restarted. If a large number of new files are produced every day, the registry file might grow to be too large. To reduce the size of the registry file, there are two configuration options available: clean_removed and clean_inactive.

For old files that you no longer touch and are ignored (see ignore_older), we recommended that you use clean_inactive. If old files get removed from disk, then use the clean_removed option.

Inode reuse causes Filebeat to skip lines

On Linux file systems, Filebeat uses the inode and device to identify files. When a file is removed from disk, the inode may be assigned to a new file. In use cases involving file rotation, if an old file is removed and a new one is created immediately afterwards, the new file may have the exact same inode as the file that was removed. In this case, Filebeat assumes that the new file is the same as the old and tries to continue reading at the old position, which is not correct.

By default states are never removed from the registry file. To resolve the inode reuse issue, we recommend that you use the clean_* options, especially clean_inactive, to remove the state of inactive files. For example, if your files get rotated every 24 hours, and the rotated files are not updated anymore, you can set ignore_older to 48 hours and clean_inactive to 72 hours.

You can use clean_removed for files that are removed from disk. Be aware that clean_removed cleans the file state from the registry whenever a file cannot be found during a scan. If the file shows up again later, it will be sent again from scratch.

Log rotation results in lost or duplicate events

Filebeat supports reading from rotating log files. However, some log rotation strategies can result in lost or duplicate events when using Filebeat to forward messages. To resolve this issue:

Avoid log rotation strategies that copy and truncate log files

Log rotation strategies that copy and truncate the input log file can result in Filebeat sending duplicate events. This happens because Filebeat identifies files by inode and device name. During log rotation, lines that Filebeat has already processed are moved to a new file. When Filebeat encounters the new file, it reads from the beginning because the previous state information (the offset and read timestamp) is associated with the inode and device name of the old file.

Furthermore, strategies that copy and truncate the input log file can result in lost events if lines are written to the log file after it’s copied, but before it’s truncated.
Make sure Filebeat is configured to read from all rotated logs

When an input log file is moved or renamed during log rotation, Filebeat is able to recognize that the file has already been read. After the file is rotated, a new log file is created, and the application continues logging. Filebeat picks up the new file during the next scan. Because the file has a new inode and device name, Filebeat starts reading it from the beginning.

To avoid missing events from a rotated file, configure the input to read from the log file and all the rotated files. For examples, see Example configurations.

If you’re using Windows, also see More about log rotation on Windows.

Example configurations

This section shows a typical configuration for logrotate, a popular tool for doing log rotation on Linux, followed by a Filebeat configuration that reads all the rotated logs.

logrotate.conf

In this example, Filebeat reads web server log. The logs are rotated every day, and the new file is created with the specified permissions.

/var/log/my-server/my-server.log {
    daily
    missingok
    rotate 7
    notifempty
    create 0640 www-data www-data
}

filebeat.yml

In this example, Filebeat is configured to read all log files to make sure it does not miss any events.

filebeat.inputs:
- type: filestream
  id: my-server-filestream-id
  paths:
  - /var/log/my-server/my-server.log*

More about log rotation on Windows

On Windows, log rotation schemes that delete old files and rename newer files to old filenames might get blocked if the old files are being processed by Filebeat. This happens because Windows does not delete files and file metadata until the last process has closed the file. Unlike most *nix filesystems, a Windows filename cannot be reused until all processes accessing the file have closed the deleted file.

To avoid this problem, use dates in rotated filenames. The file will never be renamed to an older filename, and the log writer and log rotator will always be able to open the file. This approach also highly reduces the chance of log writing, rotation, and collection interfering with each other.

Because log rotation is typically handled by the logging application, we are not providing an example configuration for Windows.

Also read Open file handlers cause issues with Windows file rotation.

Open file handlers cause issues with Windows file rotation

On Windows, you might have problems renaming or removing files because Filebeat keeps the file handlers open. This can lead to issues with the file rotating system. To avoid this issue, you can use the close_removed and close_renamed options together.

Important

When you configure these options, files may be closed before the harvester has finished reading the files. If the file cannot be picked up again by the input and the harvester hasn’t finish reading the file, the missing lines will never be sent to the output.

Filebeat is using too much CPU

Filebeat might be configured to scan for files too frequently. Check the setting for scan_frequency in the filebeat.yml config file. Setting scan_frequency to less than 1s may cause Filebeat to scan the disk in a tight loop.

Dashboard in {kib} is breaking up data fields incorrectly

The index template might not be loaded correctly. See [filebeat-template].

Fields are not indexed or usable in {kib} visualizations

If you have recently performed an operation that loads or parses custom, structured logs, you might need to refresh the index to make the fields available in {kib}. To refresh the index, use the {ref}/indices-refresh.html[refresh API]. For example:

curl -XPOST 'http://localhost:9200/filebeat-2016.08.09/_refresh'

Filebeat isn’t shipping the last line of a file

Filebeat uses a newline character to detect the end of an event. If lines are added incrementally to a file that’s being harvested, a newline character is required after the last line, or Filebeat will not read the last line of the file.

Filebeat keeps open file handlers of deleted files for a long time

In the default behaviour, Filebeat opens the files and keeps them open until it reaches the end of them. In situations when the configured output is blocked (e.g. {es} or {ls} is unavailable) for a long time, this can cause Filebeat to keep file handlers to files that were deleted from the file system in the mean time. As long as Filebeat keeps the deleted files open, the operating system doesn’t free up the space on disk, which can lead to increase disk utilisation or even out of disk situations.

To mitigate this issue, you can set the close_timeout setting to 5m. This will ensure every file handler is closed once every 5 minutes, regardless of whether it reached EOF or not. Note that this option can lead to data loss if the file is deleted before Filebeat reaches the end of the file.

Unresolved directive in faq.asciidoc - include::/github/workspace/../../libbeat/docs/faq-limit-bandwidth.asciidoc[]

Unresolved directive in faq.asciidoc - include::/github/workspace/../../libbeat/docs/shared-faq.asciidoc[]

Unresolved directive in README.adoc - include::/github/workspace/../../libbeat/docs/contributing-to-beats.asciidoc[]

Appendix A: Deleted pages

The following pages have moved or been deleted.

Google Cloud module

See Google Cloud module.

GSuite module

The GSuite module has been replaced by the Google Workspace module.

Unresolved directive in README.adoc - include::/github/workspace/../../libbeat/docs/redirects.asciidoc[]

Filebeat Reference

Filebeat overview

Filebeat quick start: installation and configuration

Before you begin

Step 1: Install Filebeat

Other installation options

Step 2: Connect to the {stack}

Step 3: Collect log data

Enable and configure data collection modules

Enable and configure ECS loggers for application log collection

Configure Filebeat manually

Step 4: Set up assets

Step 5: Start Filebeat

Step 6: View your data in {kib}

What’s next?

Set up and run Filebeat

Run Filebeat on Kubernetes

Kubernetes deploy manifests

Settings

Running Filebeat on master nodes

Red Hat OpenShift configuration

Load {kib} dashboards

Deploy

Parsing json logs

Logrotation

Upgrade Filebeat

How Filebeat works

What is a harvester?

What is an input?

How does Filebeat keep the state of files?

How does Filebeat ensure at-least-once delivery?

Configure Filebeat

Configure inputs

Input types

Manage multiline messages

Configuration options

Examples of multiline configuration

Java stack traces

Line continuations

Timestamps

Application events

Test your regexp pattern for multiline

Container input

Configuration options

stream

format

encoding

exclude_lines

include_lines

harvester_buffer_size

max_bytes

json

multiline

exclude_files

ignore_older

close_*

close_inactive

close_renamed

close_removed

close_eof

close_timeout

clean_*

clean_inactive

clean_removed

scan_frequency

scan.sort

scan.order

tail_files

symlinks

backoff

max_backoff

backoff_factor

harvester_limit

file_identity

Common options

enabled

tags

fields

fields_under_root

processors

`stream`

`format`

`encoding`

`exclude_lines`

`include_lines`

`harvester_buffer_size`

`max_bytes`

`json`

`multiline`

`exclude_files`

`ignore_older`

`close_*`

`close_inactive`

`close_renamed`

`close_removed`

`close_eof`

`close_timeout`

`clean_*`

`clean_inactive`

`clean_removed`

`scan_frequency`

`scan.sort`

`scan.order`

`tail_files`

`symlinks`

`backoff`

`max_backoff`

`backoff_factor`

`harvester_limit`

`file_identity`

`enabled`

`tags`

`fields`

`fields_under_root`

`processors`

`pipeline`

`keep_null`

`index`

`publisher_pipeline.disable_host`

`id`

`paths`

`prospector.scanner.recursive_glob`

`prospector.scanner.exclude_files`

`prospector.scanner.include_files`

`prospector.scanner.symlinks`

`prospector.scanner.resend_on_touch`

`prospector.scanner.check_interval`

`prospector.scanner.fingerprint`

`ignore_older`

`ignore_inactive`

`take_over`

`close.*`

`close.on_state_change.inactive`

`close.on_state_change.renamed`

`close.on_state_change.removed`

`close.reader.on_eof`

`close.reader.after_interval`

`clean_*`

`clean_inactive`

`clean_removed`

`backoff.*`

`backoff.init`

`backoff.max`

`file_identity`

`encoding`

`exclude_lines`

`include_lines`

`buffer_size`

`message_max_bytes`

`parsers`

`multiline`

`ndjson`

`container`

`syslog`

`include_message`

`enabled`

`tags`

`fields`

`fields_under_root`

`processors`