01_Introduction
02_Unified Cyber Defense Platform
03_The Stack
04_Features and capabilities
05_Operations
06_Architecture
- Architecture - Version 3
- Architecture - Version 4
07_Integration
- Cisco pxGrid Integration
- Threat Intel Sources
08_Use cases
- SIGMA Rules
  SIGMA Detection Attributes
  Understanding SIGMA Rule
  Creating SIGMA Rule
09_CaseHub
10_Active-Defense-Services
- Services (ADS - LIADS)
  Network Services
  Database Services
  Web-Apps
- Tokens (ADS - Tokens)
11_Data-Pipeline-Manager (DPM)
- Basic Concepts
- Getting Started
12_Deployment / Log Forwarding
13_MITRE ATT&CK
- MITRE ATT&CK Coverage by Tactic
- MITRE ATT&CK Coverage by Technique
14_BluArmour Endpoint Protection
- BluArmour For ICS / AirGapped Networks
15_BluGenie
16_Best Practices
17_Threat Hunt
18_Taxonomy
19_Product Videos
Appendix A

Powered by GitBook

On this page

Endpoint Detection

PreviousLinux NextNGFW (Firewalls)

Version 1.0

Please check back often. These tables are updated regularly to accommodate new fields as provided by vendors.

Field Names

Data Type

file.directory

text

file.hash.md5

text

file.hash.sha1

text

file.hash.sha256

text

file.name

text

file.size

int

host.architecture

text

host.mac

text

host.os.name

text

host.os.platform

text

host.os.version

text

source.user.domain

text

source.user.name

text

agent.type

text

destination.

text

destination.

ip

destination.

int

destination.as.organization.name

text

destination.geo.city_name

text

destination.geo.continent_code

text

destination.geo.country_code

text

destination.geo.country_name

text

destination.geo.location.lat

geopoint

destination.geo.location.lon

geopoint

destination.geo.region_name

text

destination.ip

ip

destination.locality

text

destination.port

int

dns.question.domain

text

dns.question.name

text

error.

text

event.action

text

event.category

array

event.created

date

event.dataset

text

event.id

text

event.kind

text

event.module

text

event.original

text

event.outcome

text

event.reason

text

event.severity

text

event.type

array

file.code_signature.signed

text

file.code_signature.subject_name

text

file.hash

text

file.name

text

file.path

text

file.pe.company

text

file.pe.description

text

file.pe.file_version

text

file.pe.imphash

text

file.pe.original_file_name

text

file.pe.product

text

hash.imphash

text

hash.md5

text

host.name

text

log.type

text

network.

text

network.

text

network.

text

network.

text

observer.ip

ip

observer.name

text

observer.product

text

observer.type

text

observer.vendor

text

organisation.id

text

process.args

text

process.command_line

text

process.executable

text

process.name

text

process.parent.args

text

process.parent.command_line

text

process.parent.executable

text

process.parent.name

text

process.parent.pid

text

process.pe.company

text

process.pe.description

text

process.pe.file_version

text

process.pe.imphash

text

process.pe.original_file_name

text

process.pe.product

text

process.pid

int

process.working_directory

text

registry.path

text

registry.value

text

related.hash

array

related.hosts

array

related.ip

array

related.user

array

rule.name

text

sensor.id

text

source.

ip

source.

text

source.as.number

text

source.as.organization.name

text

source.geo.city_name

text

source.geo.continent_code

text

source.geo.country_code

text

source.geo.country_name

text

source.geo.location.lat

geopoint

source.geo.location.lon

geopoint

source.geo.region_name

text

source.ip

ip

source.locality

text

source.port

int

threatintel.days

int

threatintel.entity

text

threatintel.event_data

text

threatintel.lookup

text

threatintel.malware.malware

text

threatintel.malware.timestamp

date/time

threatintel.severity

text

threatintel.tags

text

threatintel.white_list

text

user.domain

text

user.name

text

uuid

text