Version 1.2
Please check back often. These tables are updated regularly to accommodate new fields as provided by vendors.
Field Name
Data Type
agent.type
text
agent.type
text
destination.address
ip
destination.as.organization.name
text
destination.domain
text
destination.geo.city_name
text
destination.geo.continent_code
text
destination.geo.country_code
text
destination.geo.country_name
text
destination.geo.location.lat
geopoint
destination.geo.location.lon
geopoint
destination.geo.region_name
text
destination.locality
text
destination.mac
text
destination.port
int
event.action
text
event.category
array
event.count
int
event.created
date
event.dataset
text
event.id
text
event.kind
text
event.module
text
event.original
text
event.outcome
text
event.reason
text
event.severity
text
event.type
array
file.hash.sha1
text
file.hash.sha1
text
file.hash.sha256
text
file.hash.sha256
text
file.name
text
file.path
text
file.path
text
file.pe.company
text
file.pe.file_version
text
file.pe.product
text
file.size
text
host.hostname
text
host.hostname
text
host.ip
ip
host.name
text
log.type
text
log.type
text
message
message
network.direction
text
network.transport
text
observer.ip
ip
observer.name
text
observer.product
text
observer.type
text
observer.type
text
observer.vendor
text
organisation.id
text
os.name
text
process.args
text
process.command_line
text
process.command_line
text
process.end
date/time
process.executable
text
process.hash.md5
text
process.hash.sha256
text
process.name
text
process.parent.args
text
process.parent.command_line
text
process.parent.executable
text
process.parent.pid
int
process.parent.pid
int
process.parent.start
date/time
process.pid
int
process.pid
int
process.start
date/time
process.start
date/time
related.hash
array
related.hash
text
related.hosts
array
related.hosts
text
related.ip
array
related.ip
text
related.user
array
related.user
text
rule.author
text
rule.category
text
rule.description
text
rule.description
text
rule.id
text
rule.id
text
rule.name
text
rule.name
text
rule.ruleset
text
rule.uuid
text
sensor.id
text
source.address
ip
source.as.number
text
source.as.organization.name
text
source.domain
text
source.geo.city_name
text
source.geo.continent_code
text
source.geo.country_code
text
source.geo.country_name
text
source.geo.location.lat
geopoint
source.geo.location.lon
geopoint
source.geo.region_name
text
source.hostname
text
source.ip
ip
source.locality
text
source.mac
text
source.port
int
threat.framework
text
threat.tactic.id
text
threat.tactic.name
text
threat.technique.id
text
threat.technique.name
text
threat.technique.name
text
threat.technique.name.text
text
threatintel.days
int
threatintel.days
int
threatintel.entity
text
threatintel.event_data
text
threatintel.event_data
text
threatintel.lookup
text
threatintel.malware.malware
text
threatintel.malware.malware
text
threatintel.malware.timestamp
date/time
threatintel.malware.timestamp
date/time
threatintel.severity
text
threatintel.severity
text
threatintel.tags
text
threatintel.tags
text
threatintel.white_list
text
threatintel.white_list
text
url.full
text
url.original
text
user.domain
text
user.name
text
user.name
text
user.role
text
uuid
text
