Endpoint Detection
Version 1.0
Please check back often. These tables are updated regularly to accommodate new fields as provided by vendors.
Field Names | Data Type |
file.directory | text |
file.hash.md5 | text |
file.hash.sha1 | text |
file.hash.sha256 | text |
file.name | text |
file.size | int |
host.architecture | text |
host.mac | text |
host.os.name | text |
host.os.platform | text |
host.os.version | text |
source.user.domain | text |
source.user.name | text |
agent.type | text |
destination. | text |
destination. | ip |
destination. | int |
destination.as.organization.name | text |
destination.geo.city_name | text |
destination.geo.continent_code | text |
destination.geo.country_code | text |
destination.geo.country_name | text |
destination.geo.location.lat | geopoint |
destination.geo.location.lon | geopoint |
destination.geo.region_name | text |
destination.ip | ip |
destination.locality | text |
destination.port | int |
dns.question.domain | text |
dns.question.name | text |
error. | text |
event.action | text |
event.category | array |
event.created | date |
event.dataset | text |
event.id | text |
event.kind | text |
event.module | text |
event.original | text |
event.outcome | text |
event.reason | text |
event.severity | text |
event.type | array |
file.code_signature.signed | text |
file.code_signature.subject_name | text |
file.hash | text |
file.name | text |
file.path | text |
file.pe.company | text |
file.pe.description | text |
file.pe.file_version | text |
file.pe.imphash | text |
file.pe.original_file_name | text |
file.pe.product | text |
hash.imphash | text |
hash.md5 | text |
host.name | text |
log.type | text |
network. | text |
network. | text |
network. | text |
network. | text |
observer.ip | ip |
observer.name | text |
observer.product | text |
observer.type | text |
observer.vendor | text |
organisation.id | text |
process.args | text |
process.command_line | text |
process.executable | text |
process.name | text |
process.parent.args | text |
process.parent.command_line | text |
process.parent.executable | text |
process.parent.name | text |
process.parent.pid | text |
process.pe.company | text |
process.pe.description | text |
process.pe.file_version | text |
process.pe.imphash | text |
process.pe.original_file_name | text |
process.pe.product | text |
process.pid | int |
process.working_directory | text |
registry.path | text |
registry.value | text |
related.hash | array |
related.hosts | array |
related.ip | array |
related.user | array |
rule.name | text |
sensor.id | text |
source. | ip |
source. | text |
source.as.number | text |
source.as.organization.name | text |
source.geo.city_name | text |
source.geo.continent_code | text |
source.geo.country_code | text |
source.geo.country_name | text |
source.geo.location.lat | geopoint |
source.geo.location.lon | geopoint |
source.geo.region_name | text |
source.ip | ip |
source.locality | text |
source.port | int |
threatintel.days | int |
threatintel.entity | text |
threatintel.event_data | text |
threatintel.lookup | text |
threatintel.malware.malware | text |
threatintel.malware.timestamp | date/time |
threatintel.severity | text |
threatintel.tags | text |
threatintel.white_list | text |
user.domain | text |
user.name | text |
uuid | text |