Alert Data
Version 3.5
Field Name | Data Type |
ads.token.id | string |
ads.token.id.keyword | string |
ads.token.reminder_text | string |
ads.token.type | string |
ads.token.useragent | string |
agent.type | text |
alert.level | string |
alert.level.keyword | string |
alert.timestamp | date |
clientID | string |
clientID.keyword | string |
cloud.account.id | text |
cloud.instance.name | text |
cloud.provider | text |
cloud.region | text |
cloud.service.name | text |
destination.as.organization.name | text |
destination.bytes | int |
destination.domain | text |
destination.geo.city_name | text |
destination.geo.continent_code | text |
destination.geo.country_code | text |
destination.geo.country_name | text |
destination.geo.location.lat | geopoint |
destination.geo.location.lon | geopoint |
destination.geo.region_name | text |
destination.ip | ip |
destination.locality | text |
destination.port | int |
destination.user.email | text |
destination.user.name | text |
dns.question.name | |
dns.response_code | text |
dns.type | text |
email.attachments | text |
email.attachments.file.hash.md5 | text |
email.attachments.file.hash.sha1 | text |
email.attachments.file.hash.sha256 | text |
email.attachments.file.mime_type | text |
email.attachments.file.name | text |
email.attachments.file.size | int |
email.from.address | text |
email.subject | text |
email.to.address | text |
event.action | text |
event.action.keyword | string |
event.category | text |
event.channel | text |
event.code | int |
event.created | date |
event.dataset | text |
event.id | text |
event.kind | text |
event.kind.keyword | string |
event.module | text |
event.original | text |
event.outcome | text |
event.reason | text |
event.severity | text |
event.type | text |
events.event.created | date |
events.event_host | string |
events.event_host.keyword | string |
events.index | string |
events.index.keyword | string |
events.observer.type | string |
events.observer.type.keyword | string |
events.record_number | string |
events.record_number.keyword | string |
events.uuid | string |
events.uuid.keyword | string |
falsepositives | string |
falsepositives.keyword | string |
file.hash.imphash | text |
file.hash.md5 | text |
file.hash.sha1 | text |
file.hash.sha256 | text |
file.name | text |
file.owner | text |
file.path | text |
file.size | int |
host.ip | ip |
host.name | text |
http.request.bytes | int |
http.request.method | text |
http.request.mime_type | text |
http.request.referrer | text |
http.response.bytes | int |
http.response.mime_type | text |
http.response.status_code | int |
log.type | text |
network.application | text |
network.bytes | int |
network.community.id | text |
network.community_id | text |
network.direction | text |
network.packets | int |
network.protocol | text |
network.transport | text |
observer.type | text |
organisation.id | text |
process.command_line | text |
process.executable | text |
process.hash.imphash | text |
process.hash.md5 | text |
process.hash.sha1 | text |
process.hash.sha256 | text |
process.name | text |
process.parent.command_line | text |
process.parent.executable | text |
process.parent.hash.md5 | text |
process.parent.hash.sha1 | text |
process.parent.hash.sha256 | text |
process.parent.name | text |
process.parent.pid | int |
process.pe.company | text |
process.pe.description | text |
process.pe.original_file_name | text |
process.pe.product | text |
process.pid | int |
process.working_directory | text |
registry.hive | text |
registry.key | text |
registry.path | text |
registry.value | text |
related.hash | text |
related.hosts | text |
related.ip | text |
related.user | text |
rule.author | text |
rule.category | text |
rule.description | text |
rule.id | text |
rule.license | text |
rule.name | text |
rule.reference | text |
rule.ruleset | text |
rule.uuid | text |
sensor.id | text |
source.as.number | text |
source.as.organization.name | text |
source.bytes | int |
source.domain | text |
source.geo.city_name | text |
source.geo.continent_code | text |
source.geo.country_code | text |
source.geo.country_name | text |
source.geo.location.lat | geopoint |
source.geo.location.lon | geopoint |
source.geo.region_name | text |
source.ip | ip |
source.locality | text |
source.port | int |
source.user.email | text |
source.user.name | text |
threat.software.id | text |
threat.software.name | text |
threat.software.platforms | text |
threat.software.reference | text |
threat.software.type | text |
threat.tactic.id | text |
threat.tactic.name | text |
threat.tactic.reference | text |
threat.technique.id | text |
threat.technique.name | text |
threat.technique.reference | text |
threat.technique.subtechnique.id | text |
threat.technique.subtechnique.name | text |
threat.technique.subtechnique.reference | text |
threatintel.days | int |
threatintel.entity | array |
threatintel.event_data | text |
threatintel.lookup | text |
threatintel.malware.malware | text |
threatintel.malware.timestamp | date/time |
threatintel.severity | text |
threatintel.tags | text |
threatintel.white_list | text |
url.original | text |
user.domain | |
user.name | text |
user_agent.original | text |
uuid | text |
winlog.consumer | |
winlog.eventtype | |
winlog.grantedaccess | |
winlog.initiated | |
winlog.integritylevel | |
winlog.state | |
winlog.targetimage | |
winlog.user | |
winlog.wmi_filter_path | |
winlog.wmi_name | |
winlog.wmi_namespace | |
winlog.wmi_operation |