Endpoint Protection

Version 1.2

Please check back often. These tables are updated regularly to accommodate new fields as provided by vendors.

Field Name

Data Type

agent.type

text

agent.type

text

destination.address

ip

destination.as.organization.name

text

destination.domain

text

destination.geo.city_name

text

destination.geo.continent_code

text

destination.geo.country_code

text

destination.geo.country_name

text

destination.geo.location.lat

geopoint

destination.geo.location.lon

geopoint

destination.geo.region_name

text

destination.locality

text

destination.mac

text

destination.port

int

event.action

text

event.category

array

event.count

int

event.created

date

event.dataset

text

event.id

text

event.kind

text

event.module

text

event.original

text

event.outcome

text

event.reason

text

event.severity

text

event.type

array

file.hash.sha1

text

file.hash.sha1

text

file.hash.sha256

text

file.hash.sha256

text

file.name

text

file.path

text

file.path

text

file.pe.company

text

file.pe.file_version

text

file.pe.product

text

file.size

text

host.hostname

text

host.hostname

text

host.ip

ip

host.name

text

log.type

text

log.type

text

message

message

network.direction

text

network.transport

text

observer.ip

ip

observer.name

text

observer.product

text

observer.type

text

observer.type

text

observer.vendor

text

organisation.id

text

os.name

text

process.args

text

process.command_line

text

process.command_line

text

process.end

date/time

process.executable

text

process.hash.md5

text

process.hash.sha256

text

process.name

text

process.parent.args

text

process.parent.command_line

text

process.parent.executable

text

process.parent.pid

int

process.parent.pid

int

process.parent.start

date/time

process.pid

int

process.pid

int

process.start

date/time

process.start

date/time

related.hash

array

related.hash

text

related.hosts

array

related.hosts

text

related.ip

array

related.ip

text

related.user

array

related.user

text

rule.author

text

rule.category

text

rule.description

text

rule.description

text

rule.id

text

rule.id

text

rule.name

text

rule.name

text

rule.ruleset

text

rule.uuid

text

sensor.id

text

source.address

ip

source.as.number

text

source.as.organization.name

text

source.domain

text

source.geo.city_name

text

source.geo.continent_code

text

source.geo.country_code

text

source.geo.country_name

text

source.geo.location.lat

geopoint

source.geo.location.lon

geopoint

source.geo.region_name

text

source.hostname

text

source.ip

ip

source.locality

text

source.mac

text

source.port

int

threat.framework

text

threat.tactic.id

text

threat.tactic.name

text

threat.technique.id

text

threat.technique.name

text

threat.technique.name

text

threat.technique.name.text

text

threatintel.days

int

threatintel.days

int

threatintel.entity

text

threatintel.event_data

text

threatintel.event_data

text

threatintel.lookup

text

threatintel.malware.malware

text

threatintel.malware.malware

text

threatintel.malware.timestamp

date/time

threatintel.malware.timestamp

date/time

threatintel.severity

text

threatintel.severity

text

threatintel.tags

text

threatintel.tags

text

threatintel.white_list

text

threatintel.white_list

text

url.full

text

url.original

text

user.domain

text

user.name

text

user.name

text

user.role

text

uuid

text