01_Introduction
02_Unified Cyber Defense Platform
03_The Stack
04_Features and capabilities
05_Operations
06_Architecture
- Architecture - Version 3
- Architecture - Version 4
07_Integration
- Cisco pxGrid Integration
- Threat Intel Sources
08_Use cases
- SIGMA Rules
  SIGMA Detection Attributes
  Understanding SIGMA Rule
  Creating SIGMA Rule
09_CaseHub
10_Active-Defense-Services
- Services (ADS - LIADS)
  Network Services
  Database Services
  Web-Apps
- Tokens (ADS - Tokens)
11_Data-Pipeline-Manager (DPM)
- Basic Concepts
- Getting Started
12_Deployment / Log Forwarding
13_MITRE ATT&CK
- MITRE ATT&CK Coverage by Tactic
- MITRE ATT&CK Coverage by Technique
14_BluArmour Endpoint Protection
- BluArmour For ICS / AirGapped Networks
15_BluGenie
16_Best Practices
17_Threat Hunt
18_Taxonomy
19_Product Videos
Appendix A

Powered by GitBook

On this page

Linux

PreviousWindows NextEndpoint Detection

Version 1.0

Please check back often. These tables are updated regularly to accommodate new fields as provided by vendors.

Field Names

Data Type

Length

agent.type

text

32

auditd.

text

64

auditd.

text

32

auditd.

text

32

auditd.

text

32

destination.address

ip

destination.as.organization.name

text

128

destination.geo.city_name

text

32

destination.geo.continent_code

text

6

destination.geo.country_code

text

6

destination.geo.country_name

text

32

destination.geo.location.lat

geopoint

destination.geo.location.lon

geopoint

destination.geo.region_name

text

64

destination.locality

text

16

event.action

text

16

event.category

array

50

event.created

date

event.dataset

text

50

event.id

text

128

event.kind

text

16

event.module

text

16

event.original

event.outcome

text

16

event.reason

text

128

event.severity

text

16

event.type

array

32

file.name

int

128

host.architecture

text

32

log.type

text

32

message

text

1024

observer.type

text

32

organisation.id

text

8

process.

text

256

process.

text

128

process.

text

32

process.

int

16

process.

int

16

process.

text

256

process.arg_count

int

16

process.args

text

128

process.name

text

128

process.parent.pid

int

16

related.hash

array

128

related.hosts

array

128

related.ip

array

128

related.user

array

128

sensor.id

text

10

source.address

ip

source.as.number

text

16

source.as.organization.name

text

128

source.geo.city_name

text

32

source.geo.continent_code

text

6

source.geo.country_code

text

6

source.geo.country_name

text

32

source.geo.location.lat

geopoint

source.geo.location.lon

geopoint

source.geo.region_name

text

64

source.locality

text

16

threatintel.days

int

16

threatintel.entity

text

16

threatintel.event_data

text

512

threatintel.lookup

text

16

threatintel.malware.malware

text

512

threatintel.malware.timestamp

date/time

threatintel.severity

text

16

threatintel.tags

text

256

threatintel.white_list

text

32

user.audit.group.id

text

32

user.audit.id

text

32

user.effective.group.id

text

32

user.effective.id

text

32

user.filesystem.group.id

text

32

user.filesystem.id

text

32

user.group.id

text

32

user.id

text

128

user.name

text

128

user.owner.group.id

text

32

user.owner.id

text

32

user.saved.group.id

text

32

user.saved.id

text

32

user.terminal

text

128

uuid

text

36