Windows
Version 1.2
\
Fields
Data Type
event.category
array
event.dataset
text
event.module
text
event.kind
text
event.outcome
text
event.type
array
event.action
text
event.id
text
event.original
event.severity
text
event.created
date
event.reason
text
uuid
text
organisation.id
text
sensor.id
text
source.as.organization.name
text
source.geo.city_name
text
source.geo.country_code
text
source.geo.country_name
text
source.geo.location.lat
geopoint
source.geo.location.lon
geopoint
source.geo.region_name
text
source.geo.continent_code
text
destination.as.organization.name
text
destination.geo.city_name
text
destination.geo.country_code
text
destination.geo.country_name
text
destination.geo.location.lat
geopoint
destination.geo.location.lon
geopoint
destination.geo.region_name
text
destination.geo.continent_code
text
source.as.number
text
threatintel.entity
text
threatintel.lookup
text
source.locality
text
destination.locality
text
network.community_id
text
host.name
text
user.name
text
user.domain
text
process.name
text
process.executable
text
process.args
array
process.pid
int
process.parent.executable
text
process.parent.name
text
process.parent.args
tect
process.working_directory
text
process.parent.pid
int
file.path
text
source.ip
ip
source.port
int
destination.ip
ip
destination.port
int
registry.path
text
registry.value
text
hash.imphash
text
hash.md5
text
destination.domain
text
destination.ip
ip
destination.port
int
error.message
text
network.direction
text
network.protocol
text
network.transport
text
network.type
text
source.address
ip
source.domain
rext
source.ip
ip
source.port
int
rule.name
text
process.pe.imphash
text
process.command_line
text
process.parent.command_line
text
process.pe.original_file_name
text
process.pe.company
text
process.pe.description
text
process.pe.file_version
text
process.pe.product
text
file.hash
text
file.pe.imphash
text
file.name
text
file.code_signature.subject_name
text
file.pe.original_file_name
text
file.pe.company
text
file.pe.description
text
file.pe.file_version
text
file.pe.product
text
file.code_signature.signed
text
dns.question.name
text
network.type
text
sysmon.dns.status
text
sysmon.file.archived
text
sysmon.file.is_executable
text
powershell.engine.new_state
text
powershell.engine.previous_state
text
powershell.provider.new_state
text
powershell.provider.name
text
powershell.sequence
text
powershell.engine.version
text
powershell.process.executable_version
text
powershell.command.value
text
powershell.command.path
text
powershell.command.name
text
source.user.name
text
source.user.domain
text
powershell.file.script_block_text
text
powershell.file.script_block_id
text
rule.uuid
text
rule.id
text
error.code
text
winlog.accesslist
winlog.accessmask
winlog.accesses
source.user.id
winlog.action
winlog.address
winlog.allowedtodelegateto
winlog.appid
winlog.appname
winlog.application
winlog.applicationpath
winlog.attributeldapdisplayname
winlog.attributevalue
winlog.auditpolicychanges
winlog.auditsourcename
package.name (remove)
winlog.binary
winlog.calltrace
winlog.caption
winlog.certthumbprint
winlog.classname
winlog.clientprocessid
winlog.contents
winlog.contextinfo
winlog.failurecode
winlog.feature_name
winlog.filenamebuffer
winlog.grantedaccess
winlog.impersonationlevel
winlog.integritylevel
winlog.keylength
winlog.keywords
winlog.layerrtid
winlog.level
winlog.localname
winlog.logontype
winlog.message
winlog.modifyingapplication
winlog.name
winlog.newname
winlog.newtargetusername
winlog.newtemplatecontent
winlog.newuacvalue
winlog.newvalue
winlog.objectclass
winlog.objectname
winlog.objectserver
winlog.objecttype
winlog.objectvaluename
winlog.olduacvalue
winlog.oldvalue
winlog.origin
winlog.originalfilename
winlog.packagefullname
winlog.packagepath
winlog.parentcommandline
winlog.parentimage
winlog.parentprocessid
winlog.parentuser
winlog.path
winlog.pipename
winlog.possiblecause
winlog.previouscreationutctime
winlog.privilegelist
winlog.processid
winlog.processname
winlog.processnamebuffer
winlog.processpath
winlog.product
winlog.properties
winlog.protocol
winlog.provider
winlog.providername
winlog.provider_name
winlog.qname
winlog.query
winlog.queryname
winlog.reason
winlog.relativetargetname
winlog.remotename
winlog.requestedpolicy
winlog.samaccountname
winlog.searchfilter
winlog.servername
winlog.service
winlog.servicefilename
winlog.servicename
winlog.serviceprincipalnames
winlog.servicestarttype
winlog.servicetype
winlog.sharename
winlog.sidhistory
winlog.sidlist
winlog.signature
winlog.signaturestatus
winlog.signed
winlog.sourceaddress
winlog.sourcecommandline
winlog.sourcefilename
winlog.sourcehostname
winlog.sourceimage
winlog.sourceip
winlog.sourcename
winlog.sourceparentimage
winlog.sourceport
winlog.startaddress
winlog.startfunction
winlog.startmodule
winlog.state
winlog.status
winlog.subcategoryguid
winlog.subjectdomainname
winlog.subjectlogonid
winlog.subjectusername
winlog.subjectusersid
winlog.targetfilename
winlog.targetimage
user.id
destination.user.name
winlog.targetparentimage
winlog.targetparentprocessid
winlog.targetservername
winlog.targetsid
winlog.targetusername
winlog.targetusersid
winlog.taskcontent
winlog.taskcontentnew
winlog.taskname
winlog.templatecontent
winlog.ticketencryptiontype
winlog.ticketoptions
winlog.type
winlog.user
winlog.username
winlog.value
winlog.workstation
winlog.workstationname
winlog.param1
winlog.param2
winlog.param3
winlog.payload
winlog.process
related.user
array
related.hash
array
related.ip
array
related.hosts
array
agent.type
text
log.type
text
observer.type
text
threatintel.days
int
threatintel.event_data
text
threatintel.malware.malware
text
threatintel.malware.timestamp
date/time
threatintel.tags
text
threatintel.white_list
text
threatintel.severity
text
message
asset.category
array
asset.rank
int
asset.type
array
destination.address
ip
destination.user.group.id
text
destination.user.group.name
text
destination.user_name
text
dns.answers
array
dns.response_code
text
event.channel
text
event.code
int
event.provider
text
group.domain
text
group.id
text
group.name
text
host.ip
ip
observer.product
text
observer.vendor
text
registry.hive
text
registry.key
text
service.name
text
service.state
text
service.type
text
user.target.domain
text
user.type
text
event.outcome
text
new fields to add
network.direction
winlog.exceptioncode
winlog.logonprocessname
winlog.authenticationpackagename
winlog.devicedescription
winlog.devicename
winlog.errorcode
winlog.source_name
winlog.hivename
winlog.imagename
winlog.new_value
winlog.old_value
winlog.objectname
package.path
winlog.filterorigin
winlog.scriptblocktext
winlog.description
winlog.targetname
winlog.targetoutboundusername
winlog.targetlogonid
source.domain
winlog.subjectname