Windows
Version 1.2
\
Fields | Data Type |
event.category | array |
event.dataset | text |
event.module | text |
event.kind | text |
event.outcome | text |
event.type | array |
event.action | text |
event.id | text |
event.original | |
event.severity | text |
event.created | date |
event.reason | text |
uuid | text |
organisation.id | text |
sensor.id | text |
source.as.organization.name | text |
source.geo.city_name | text |
source.geo.country_code | text |
source.geo.country_name | text |
source.geo.location.lat | geopoint |
source.geo.location.lon | geopoint |
source.geo.region_name | text |
source.geo.continent_code | text |
destination.as.organization.name | text |
destination.geo.city_name | text |
destination.geo.country_code | text |
destination.geo.country_name | text |
destination.geo.location.lat | geopoint |
destination.geo.location.lon | geopoint |
destination.geo.region_name | text |
destination.geo.continent_code | text |
source.as.number | text |
threatintel.entity | text |
threatintel.lookup | text |
source.locality | text |
destination.locality | text |
network.community_id | text |
host.name | text |
user.name | text |
user.domain | text |
process.name | text |
process.executable | text |
process.args | array |
process.pid | int |
process.parent.executable | text |
process.parent.name | text |
process.parent.args | tect |
process.working_directory | text |
process.parent.pid | int |
file.path | text |
source.ip | ip |
source.port | int |
destination.ip | ip |
destination.port | int |
registry.path | text |
registry.value | text |
hash.imphash | text |
hash.md5 | text |
destination.domain | text |
destination.ip | ip |
destination.port | int |
error.message | text |
network.direction | text |
network.protocol | text |
network.transport | text |
network.type | text |
source.address | ip |
source.domain | rext |
source.ip | ip |
source.port | int |
rule.name | text |
process.pe.imphash | text |
process.command_line | text |
process.parent.command_line | text |
process.pe.original_file_name | text |
process.pe.company | text |
process.pe.description | text |
process.pe.file_version | text |
process.pe.product | text |
file.hash | text |
file.pe.imphash | text |
file.name | text |
file.code_signature.subject_name | text |
file.pe.original_file_name | text |
file.pe.company | text |
file.pe.description | text |
file.pe.file_version | text |
file.pe.product | text |
file.code_signature.signed | text |
dns.question.name | text |
network.type | text |
sysmon.dns.status | text |
sysmon.file.archived | text |
sysmon.file.is_executable | text |
powershell.engine.new_state | text |
powershell.engine.previous_state | text |
powershell.provider.new_state | text |
powershell.provider.name | text |
powershell.sequence | text |
powershell.engine.version | text |
powershell.process.executable_version | text |
powershell.command.value | text |
powershell.command.path | text |
powershell.command.name | text |
source.user.name | text |
source.user.domain | text |
powershell.file.script_block_text | text |
powershell.file.script_block_id | text |
rule.uuid | text |
rule.id | text |
error.code | text |
winlog.accesslist | |
winlog.accessmask | |
winlog.accesses | |
source.user.id | |
winlog.action | |
winlog.address | |
winlog.allowedtodelegateto | |
winlog.appid | |
winlog.appname | |
winlog.application | |
winlog.applicationpath | |
winlog.attributeldapdisplayname | |
winlog.attributevalue | |
winlog.auditpolicychanges | |
winlog.auditsourcename | |
package.name (remove) | |
winlog.binary | |
winlog.calltrace | |
winlog.caption | |
winlog.certthumbprint | |
winlog.classname | |
winlog.clientprocessid | |
winlog.contents | |
winlog.contextinfo | |
winlog.failurecode | |
winlog.feature_name | |
winlog.filenamebuffer | |
winlog.grantedaccess | |
winlog.impersonationlevel | |
winlog.integritylevel | |
winlog.keylength | |
winlog.keywords | |
winlog.layerrtid | |
winlog.level | |
winlog.localname | |
winlog.logontype | |
winlog.message | |
winlog.modifyingapplication | |
winlog.name | |
winlog.newname | |
winlog.newtargetusername | |
winlog.newtemplatecontent | |
winlog.newuacvalue | |
winlog.newvalue | |
winlog.objectclass | |
winlog.objectname | |
winlog.objectserver | |
winlog.objecttype | |
winlog.objectvaluename | |
winlog.olduacvalue | |
winlog.oldvalue | |
winlog.origin | |
winlog.originalfilename | |
winlog.packagefullname | |
winlog.packagepath | |
winlog.parentcommandline | |
winlog.parentimage | |
winlog.parentprocessid | |
winlog.parentuser | |
winlog.path | |
winlog.pipename | |
winlog.possiblecause | |
winlog.previouscreationutctime | |
winlog.privilegelist | |
winlog.processid | |
winlog.processname | |
winlog.processnamebuffer | |
winlog.processpath | |
winlog.product | |
winlog.properties | |
winlog.protocol | |
winlog.provider | |
winlog.providername | |
winlog.provider_name | |
winlog.qname | |
winlog.query | |
winlog.queryname | |
winlog.reason | |
winlog.relativetargetname | |
winlog.remotename | |
winlog.requestedpolicy | |
winlog.samaccountname | |
winlog.searchfilter | |
winlog.servername | |
winlog.service | |
winlog.servicefilename | |
winlog.servicename | |
winlog.serviceprincipalnames | |
winlog.servicestarttype | |
winlog.servicetype | |
winlog.sharename | |
winlog.sidhistory | |
winlog.sidlist | |
winlog.signature | |
winlog.signaturestatus | |
winlog.signed | |
winlog.sourceaddress | |
winlog.sourcecommandline | |
winlog.sourcefilename | |
winlog.sourcehostname | |
winlog.sourceimage | |
winlog.sourceip | |
winlog.sourcename | |
winlog.sourceparentimage | |
winlog.sourceport | |
winlog.startaddress | |
winlog.startfunction | |
winlog.startmodule | |
winlog.state | |
winlog.status | |
winlog.subcategoryguid | |
winlog.subjectdomainname | |
winlog.subjectlogonid | |
winlog.subjectusername | |
winlog.subjectusersid | |
winlog.targetfilename | |
winlog.targetimage | |
user.id | |
destination.user.name | |
winlog.targetparentimage | |
winlog.targetparentprocessid | |
winlog.targetservername | |
winlog.targetsid | |
winlog.targetusername | |
winlog.targetusersid | |
winlog.taskcontent | |
winlog.taskcontentnew | |
winlog.taskname | |
winlog.templatecontent | |
winlog.ticketencryptiontype | |
winlog.ticketoptions | |
winlog.type | |
winlog.user | |
winlog.username | |
winlog.value | |
winlog.workstation | |
winlog.workstationname | |
winlog.param1 | |
winlog.param2 | |
winlog.param3 | |
winlog.payload | |
winlog.process | |
related.user | array |
related.hash | array |
related.ip | array |
related.hosts | array |
agent.type | text |
log.type | text |
observer.type | text |
threatintel.days | int |
threatintel.event_data | text |
threatintel.malware.malware | text |
threatintel.malware.timestamp | date/time |
threatintel.tags | text |
threatintel.white_list | text |
threatintel.severity | text |
message | |
asset.category | array |
asset.rank | int |
asset.type | array |
destination.address | ip |
destination.user.group.id | text |
destination.user.group.name | text |
destination.user_name | text |
dns.answers | array |
dns.response_code | text |
event.channel | text |
event.code | int |
event.provider | text |
group.domain | text |
group.id | text |
group.name | text |
host.ip | ip |
observer.product | text |
observer.vendor | text |
registry.hive | text |
registry.key | text |
service.name | text |
service.state | text |
service.type | text |
user.target.domain | text |
user.type | text |
event.outcome | text |
new fields to add | |
network.direction | |
winlog.exceptioncode | |
winlog.logonprocessname | |
winlog.authenticationpackagename | |
winlog.devicedescription | |
winlog.devicename | |
winlog.errorcode | |
winlog.source_name | |
winlog.hivename | |
winlog.imagename | |
winlog.new_value | |
winlog.old_value | |
winlog.objectname | |
package.path | |
winlog.filterorigin | |
winlog.scriptblocktext | |
winlog.description | |
winlog.targetname | |
winlog.targetoutboundusername | |
winlog.targetlogonid | |
source.domain | |
winlog.subjectname |