Endpoint Detection

Version 1.0

Please check back often. These tables are updated regularly to accommodate new fields as provided by vendors.

Field Names

Data Type

file.directory

text

file.hash.md5

text

file.hash.sha1

text

file.hash.sha256

text

file.name

text

file.size

int

host.architecture

text

host.mac

text

host.os.name

text

host.os.platform

text

host.os.version

text

source.user.domain

text

source.user.name

text

agent.type

text

destination.

text

destination.

ip

destination.

int

destination.as.organization.name

text

destination.geo.city_name

text

destination.geo.continent_code

text

destination.geo.country_code

text

destination.geo.country_name

text

destination.geo.location.lat

geopoint

destination.geo.location.lon

geopoint

destination.geo.region_name

text

destination.ip

ip

destination.locality

text

destination.port

int

dns.question.domain

text

dns.question.name

text

error.

text

event.action

text

event.category

array

event.created

date

event.dataset

text

event.id

text

event.kind

text

event.module

text

event.original

text

event.outcome

text

event.reason

text

event.severity

text

event.type

array

file.code_signature.signed

text

file.code_signature.subject_name

text

file.hash

text

file.name

text

file.path

text

file.pe.company

text

file.pe.description

text

file.pe.file_version

text

file.pe.imphash

text

file.pe.original_file_name

text

file.pe.product

text

hash.imphash

text

hash.md5

text

host.name

text

log.type

text

network.

text

network.

text

network.

text

network.

text

observer.ip

ip

observer.name

text

observer.product

text

observer.type

text

observer.vendor

text

organisation.id

text

process.args

text

process.command_line

text

process.executable

text

process.name

text

process.parent.args

text

process.parent.command_line

text

process.parent.executable

text

process.parent.name

text

process.parent.pid

text

process.pe.company

text

process.pe.description

text

process.pe.file_version

text

process.pe.imphash

text

process.pe.original_file_name

text

process.pe.product

text

process.pid

int

process.working_directory

text

registry.path

text

registry.value

text

related.hash

array

related.hosts

array

related.ip

array

related.user

array

rule.name

text

sensor.id

text

source.

ip

source.

text

source.as.number

text

source.as.organization.name

text

source.geo.city_name

text

source.geo.continent_code

text

source.geo.country_code

text

source.geo.country_name

text

source.geo.location.lat

geopoint

source.geo.location.lon

geopoint

source.geo.region_name

text

source.ip

ip

source.locality

text

source.port

int

threatintel.days

int

threatintel.entity

text

threatintel.event_data

text

threatintel.lookup

text

threatintel.malware.malware

text

threatintel.malware.timestamp

date/time

threatintel.severity

text

threatintel.tags

text

threatintel.white_list

text

user.domain

text

user.name

text

uuid

text