From 4d6643d1ce458bfba700825deac8b60959b4dd62 Mon Sep 17 00:00:00 2001 From: ShourieG <105607378+ShourieG@users.noreply.github.com> Date: Wed, 23 Oct 2024 19:34:58 +0530 Subject: [PATCH] [Amazon Security Lake] - OCSF v1.1 update with major refactor & adding support for dynamic template and mappings & system tests (#10405) * Added support for OCSF v1.1.0. with major pipeline refactor and dynamic mapping support. --- .../_dev/build/docs/README.md | 4 +- packages/amazon_security_lake/changelog.yml | 5 + .../fields/actor-fields.yml | 1815 ++++++ .../fields/api-fields.yml | 154 + .../fields/device-fields.yml | 348 ++ .../application_activity/fields/fields.yml | 2540 +------- .../fields/file-fields.yml | 509 ++ .../fields/metadata-fields.yml | 122 + .../fields/network-endpoint-fields.yml | 213 + .../fields/resource-fields.yml | 141 + .../application_activity/manifest.yml | 6 + .../discovery/fields/actor-fields.yml | 1815 ++++++ .../discovery/fields/api-fields.yml | 154 + .../discovery/fields/device-fields.yml | 348 ++ .../data_stream/discovery/fields/fields.yml | 2203 +------ .../discovery/fields/metadata-fields.yml | 122 + .../discovery/fields/user-fields.yml | 254 + .../data_stream/discovery/manifest.yml | 6 + .../data_stream/event/_dev/deploy/tf/env.yml | 9 + .../tf/files/application_lifecycle.parquet | Bin 0 -> 28930 bytes .../discovery_user_inventory_info.parquet | Bin 0 -> 138794 bytes .../findings_compliance_findings.parquet | Bin 0 -> 22402 bytes .../tf/files/iam_account_change.parquet | Bin 0 -> 22173 bytes .../tf/files/network_email_activity.parquet | Bin 0 -> 22696 bytes .../files/system_file_system_activity.parquet | Bin 0 -> 68986 bytes .../data_stream/event/_dev/deploy/tf/main.tf | 44 + .../event/_dev/deploy/tf/variables.tf | 22 + .../pipeline/test-application-activity.log | 4 + ...est-application-activity.log-expected.json | 2564 +++++++- .../_dev/test/pipeline/test-common-config.yml | 14 + .../_dev/test/pipeline/test-discovery.log | 4 + .../pipeline/test-discovery.log-expected.json | 1277 +++- .../_dev/test/pipeline/test-findings.log | 4 + .../pipeline/test-findings.log-expected.json | 1829 +++++- .../test/pipeline/test-iam.log-expected.json | 35 +- .../test/pipeline/test-network-activity.log | 2 + .../test-network-activity.log-expected.json | 1220 +++- .../test-system-activity.log-expected.json | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 124 +- ...pipeline_category_application_activity.yml | 2 +- .../pipeline_category_discovery.yml | 2 +- .../pipeline_category_findings.yml | 2 +- ...ategory_identity_and_access_management.yml | 2 +- .../pipeline_category_network_activity.yml | 2 +- .../pipeline_category_system_activity.yml | 2 +- .../ingest_pipeline/pipeline_object_actor.yml | 2 +- .../pipeline_object_attack.yml | 2 +- .../pipeline_object_device.yml | 2 +- .../ingest_pipeline/pipeline_object_file.yml | 2 +- .../pipeline_object_http_request.yml | 2 +- .../pipeline_object_malware.yml | 2 +- ...ipeline_object_network_connection_info.yml | 2 +- .../pipeline_object_network_endpoint.yml | 2 +- .../pipeline_object_process.yml | 2 +- .../ingest_pipeline/pipeline_object_proxy.yml | 2 +- ...pipeline_object_system_activity_helper.yml | 2 +- .../ingest_pipeline/pipeline_object_tls.yml | 2 +- .../pipeline_object_traffic.yml | 2 +- .../ingest_pipeline/pipeline_object_user.yml | 34 +- .../event/fields/actor-fields-flattened.yml | 1638 +++++ .../data_stream/event/fields/api-fields.yml | 154 + .../data_stream/event/fields/base-fields.yml | 1 - .../data_stream/event/fields/beats.yml | 14 +- .../event/fields/device-fields.yml | 348 ++ .../data_stream/event/fields/fields.yml | 5512 ++++------------- .../data_stream/event/fields/file-fields.yml | 509 ++ .../event/fields/metadata-fields.yml | 122 + .../data_stream/event/fields/misc-fields.yml | 89 + .../event/fields/network-endpoint-fields.yml | 213 + .../event/fields/proxy-endpoint-fields.yml | 108 + .../event/fields/proxy-fields-deprecated.yml | 84 + .../event/fields/resource-fields.yml | 141 + .../data_stream/event/fields/user-fields.yml | 254 + .../event/fields/vulnerability-fields.yml | 162 + .../data_stream/event/manifest.yml | 10 +- .../data_stream/event/sample_event.json | 160 + .../findings/fields/actor-fields.yml | 1815 ++++++ .../findings/fields/api-fields.yml | 154 + .../findings/fields/assignee-fields.yml | 254 + .../data_stream/findings/fields/fields.yml | 2042 +----- .../findings/fields/finding-info-fields.yml | 137 + .../findings/fields/metadata-fields.yml | 122 + .../findings/fields/process-fields.yml | 1388 +++++ .../findings/fields/resource-fields.yml | 141 + .../findings/fields/vulnerability-fields.yml | 162 + .../data_stream/findings/manifest.yml | 6 + .../data_stream/iam/fields/actor-fields.yml | 1815 ++++++ .../data_stream/iam/fields/api-fields.yml | 154 + .../data_stream/iam/fields/device-fields.yml | 348 ++ .../data_stream/iam/fields/fields.yml | 3648 ++--------- .../iam/fields/metadata-fields.yml | 122 + .../iam/fields/network-endpoint-fields.yml | 213 + .../iam/fields/resource-fields.yml | 141 + .../data_stream/iam/fields/user-fields.yml | 254 + .../data_stream/iam/manifest.yml | 6 + .../network_activity/fields/actor-fields.yml | 1815 ++++++ .../network_activity/fields/api-fields.yml | 154 + .../network_activity/fields/device-fields.yml | 348 ++ .../network_activity/fields/fields.yml | 3523 ++--------- .../network_activity/fields/file-fields.yml | 509 ++ .../fields/metadata-fields.yml | 122 + .../fields/network-endpoint-fields.yml | 213 + .../fields/proxy-endpoint-fields.yml | 108 + .../fields/proxy-fields-deprecated.yml | 84 + .../data_stream/network_activity/manifest.yml | 6 + .../system_activity/fields/actor-fields.yml | 1815 ++++++ .../system_activity/fields/api-fields.yml | 154 + .../system_activity/fields/device-fields.yml | 348 ++ .../system_activity/fields/fields.yml | 4073 ++---------- .../system_activity/fields/file-fields.yml | 509 ++ .../fields/metadata-fields.yml | 122 + .../data_stream/system_activity/manifest.yml | 6 + packages/amazon_security_lake/docs/README.md | 486 +- ...-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json | 2 +- ...-15b6e140-24a3-11ee-bb84-975fc16e8386.json | 2 +- ...-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json | 2 +- ...-3ec9b110-7d82-11ee-8bb4-f99e39910112.json | 2 +- ...-41b73270-25fe-11ee-983a-17fb20a3b25d.json | 2 +- ...-48997710-7d65-11ee-8bb4-f99e39910112.json | 2 +- ...-9f829d40-7e1e-11ee-8bb4-f99e39910112.json | 2 +- ...-c2efb230-7d48-11ee-8bb4-f99e39910112.json | 2 +- ...-ed18e3a0-2565-11ee-be5c-17edc959116c.json | 2 +- ...-f21df8e0-249d-11ee-aa05-4dd9349682f3.json | 2 +- packages/amazon_security_lake/manifest.yml | 2 +- 124 files changed, 34099 insertions(+), 20744 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/discovery/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/env.yml create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/application_lifecycle.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/discovery_user_inventory_info.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/findings_compliance_findings.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/iam_account_change.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/network_email_activity.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/system_file_system_activity.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf create mode 100644 packages/amazon_security_lake/data_stream/event/fields/actor-fields-flattened.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/device-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/file-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/proxy-fields-deprecated.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/user-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/sample_event.json create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/proxy-fields-deprecated.yml create mode 100644 packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/system_activity/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml diff --git a/packages/amazon_security_lake/_dev/build/docs/README.md b/packages/amazon_security_lake/_dev/build/docs/README.md index 4a685d80987d..18008fd0da68 100644 --- a/packages/amazon_security_lake/_dev/build/docs/README.md +++ b/packages/amazon_security_lake/_dev/build/docs/README.md @@ -10,7 +10,7 @@ The Amazon Security Lake integration can be used in two different modes to colle ## Compatibility -This module follows the latest OCSF Schema Version **v1.0.0**. +This module follows the OCSF Schema Version **v1.1.0**. ## Data streams @@ -19,6 +19,8 @@ The Amazon Security Lake integration collects logs from both [Third-party servic ### **NOTE**: - The Amazon Security Lake integration supports events collected from [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) and [third-party services](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html). +- Due to the nature and structure of the OCSF schema, this integration has limitations on how deep the mappings run. Some important objects like 'Actor', 'User' and 'Product' have more fleshed-out mappings compared to others which get flattened after the initial 2-3 levels of nesting to keep them maintainable and stay within field mapping [limits](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-settings-limit.html). This will evolve as needed. + ## Requirements - Elastic Agent must be installed. diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml index b320a9cdbe99..294689e3035f 100644 --- a/packages/amazon_security_lake/changelog.yml +++ b/packages/amazon_security_lake/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Updated to support OCSF v1.1.0. with major pipeline rework and dynamic mapping support. + type: enhancement + link: https://github.com/elastic/integrations/pull/10405 - version: "1.5.0" changes: - description: Re-added SQS notification settings which were removed due to a prior update error. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 57f77aaf0afd..e7f961422619 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -7,1713 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: app type: group fields: @@ -1723,18 +16,11 @@ - name: name type: keyword description: The CIS benchmark name. - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: path type: keyword description: The installation path of the product. @@ -1756,6 +42,39 @@ - name: category_uid type: keyword description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. + - name: connection_info + type: group + fields: + - name: boundary + type: keyword + description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: boundary_id + type: keyword + description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: direction + type: keyword + description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. + - name: direction_id + type: keyword + description: The normalized identifier of the direction of the initiated connection, traffic, or email. + - name: protocol_name + type: keyword + description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.' + - name: protocol_num + type: keyword + description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.' + - name: protocol_ver + type: keyword + description: The Internet Protocol version. + - name: protocol_ver_id + type: keyword + description: The Internet Protocol version identifier. + - name: tcp_flags + type: long + description: The network connection TCP header flags (i.e., control bits). + - name: uid + type: keyword + description: The unique identifier of the connection. - name: class_name type: keyword description: 'The event class name, as defined by class_uid value: Security Finding.' @@ -1807,36 +126,36 @@ - name: zone type: keyword description: The availability zone in the cloud region, as defined by the cloud provider. + - name: command_uid + type: keyword + description: The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated. - name: count type: long description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: device + - name: duration + type: long + description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: database type: group fields: - - name: autoscale_uid + - name: uid type: keyword - description: The unique identifier of the cloud autoscale configuration. + description: The unique identifier of the database. - name: created_time - type: date - description: The time when the device was known to have been created. + type: long + description: The time when the database was known to have been created. - name: created_time_dt type: date - description: TThe time when the device was known to have been created. + description: The time (date) when the database was known to have been created. - name: desc type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. + description: The description that pertains to the object or event. - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -1852,378 +171,81 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - name: modified_time - type: date - description: The time when the device was last known to have been modified. + type: long + description: The most recent time when any changes, updates, or modifications were made within the database. - name: modified_time_dt type: date - description: The time when the device was last known to have been modified. + description: The most recent time (date) when any changes, updates, or modifications were made within the database. - name: name type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score + description: The database name, ordinarily as assigned by a database administrator. + - name: size type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. + description: The size of the database in bytes. - name: type type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + description: The database type. - name: type_id type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: dst_endpoint + description: The normalized identifier of the database type. + - name: databucket type: group fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name + - name: uid type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid + description: "Unique ID" + - name: created_time + type: long + description: The time when the databucket was known to have been created. + - name: created_time_dt + type: date + description: The time (date) when the databucket was known to have been created. + - name: desc type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location + description: The description of the databucket. + - name: file + type: flattened + description: A file within a databucket. + - name: groups type: group fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country + - name: domain type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code + description: The group description. + - name: name type: keyword - description: The postal code of the location. - - name: provider + description: The group name. + - name: privileges type: keyword - description: The provider of the geographical location data. - - name: region + description: The group privileges. + - name: type type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: modified_time + type: long + description: The most recent time when any changes, updates, or modifications were made within the databucket. + - name: modified_time_dt + type: date + description: The most recent time (date) when any changes, updates, or modifications were made within the databucket. - name: name type: keyword - description: The short name of the endpoint. - - name: port + description: The databucket name. + - name: size type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid + description: The size of the databucket in bytes. + - name: type type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid + description: The databucket type. + - name: type_id type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: duration - type: long - description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + description: The normalized identifier of the databucket type. - name: end_time type: date description: The end time of a time period, or the time of the most recent event included in the aggregate event. @@ -2235,6 +257,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword @@ -2248,6 +271,52 @@ - name: value type: keyword description: The value of the attribute to which the enriched data pertains. + - name: expiration_time + type: date + description: The share expiration time. + - name: expiration_time_dt + type: date + description: The share expiration time (date). + - name: firewall_rule + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. For example, 1.1. - name: http_request type: group fields: @@ -2338,108 +407,9 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' + - name: num_* + type: integer + description: The number fields for counting various item scan results. - name: observables type: group fields: @@ -2470,97 +440,43 @@ - name: value type: keyword description: The value associated with the observable attribute. - - name: proxy + - name: policy type: group fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid + - name: desc type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location + description: The description of the policy. + - name: group type: group fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country + - name: domain type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp + description: The group description. + - name: name type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code + description: The group name. + - name: privileges type: keyword - description: The postal code of the location. - - name: provider + description: The group privileges. + - name: type type: keyword - description: The provider of the geographical location data. - - name: region + description: The type of the group or account. + - name: uid type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + description: 'The policy name. For example: IAM Policy.' - name: uid type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid + description: A unique identifier of the policy instance. + - name: version type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: raw_data - type: flattened - description: The event data as received from the event source. - - name: severity - type: keyword - description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. - - name: severity_id - type: long - description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. - - name: src_endpoint + description: The policy version number. + - name: proxy type: group fields: - name: domain @@ -2641,6 +557,61 @@ - name: vpc_uid type: keyword description: The unique identifier of the Virtual Private Cloud (VPC). + - name: query_info + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the query. + - name: name + type: keyword + description: The query name for a saved or scheduled query. + - name: query_string + type: text + description: A string representing the query code being run. For example, SELECT * FROM my_table + - name: query_time + type: long + description: The time when the query was run. + - name: query_time_dt + type: date + description: The time (date) when the query was run. + - name: bytes + type: long + description: The size of the data returned from the query. + - name: data + type: flattened + description: The data returned from the query execution. + - name: raw_data + type: flattened + description: The event data as received from the event source. + - name: raw_data_keyword + type: match_only_text + description: The raw event data keyword as received from the event source. + - name: scan + type: group + description: The Scan object describes characteristics of a proactive scan. + fields: + - name: name + type: keyword + description: The administrator-supplied or application-generated name of the scan. + - name: type + type: keyword + description: The type of scan. + - name: type_id + type: keyword + description: The type id of the scan. + - name: uid + type: keyword + description: The application-defined unique identifier assigned to an instance of a scan. + - name: schedule_uid + type: keyword + description: The unique identifier of the schedule associated with a scan job. + - name: severity + type: keyword + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. + - name: severity_id + type: long + description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -2659,6 +630,9 @@ - name: status_id type: keyword description: The normalized identifier of the event status. + - name: total + type: integer + description: The total number of items that were scanned; zero if no items were scanned. - name: time type: date description: The normalized event occurrence time. @@ -2782,6 +756,60 @@ - name: version type: keyword description: The TLS protocol version. + - name: table + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the table. + - name: name + type: keyword + description: The table name, ordinarily as assigned by a database administrator. + - name: desc + type: text + description: The description of the table. + - name: created_time + type: long + description: The time when the table was known to have been created. + - name: created_time_dt + type: date + description: The time (date) when the table was known to have been created. + - name: modified_time + type: long + description: The most recent time when any changes, updates, or modifications were made within the table. + - name: modified_time_dt + type: date + description: The most recent time (date) when any changes, updates, or modifications were made within the table. + - name: size + type: long + description: The size of the data table in bytes. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: type + type: keyword + description: The event type name, as defined by the type_id. + - name: type_id + type: keyword + description: The normalized event type identifier. - name: type_name type: keyword description: The event type name, as defined by the type_uid. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml new file mode 100644 index 000000000000..f0d2fe6bc6b1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml @@ -0,0 +1,509 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..91fca432e6eb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml new file mode 100644 index 000000000000..e3d9d54d6704 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml @@ -0,0 +1,141 @@ +- name: ocsf + type: group + fields: + - name: resources + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: type_id + type: keyword + description: The resource group type identifier. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: type_id + type: keyword + description: The resource type identifier. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/application_activity/manifest.yml b/packages/amazon_security_lake/data_stream/application_activity/manifest.yml index 74966e6d2d35..6f544e408a1c 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/manifest.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Application Activity Events dataset: amazon_security_lake.application_activity type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index 6147dba2ae12..bfbe2228e057 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -7,1713 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: category_name type: keyword description: 'The event category name, as defined by category_uid value: Identity & Access Management.' @@ -1738,6 +31,12 @@ - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: rule type: group fields: @@ -1761,7 +60,7 @@ description: The rule version. - name: class_name type: keyword - description: 'The event class name, as defined by class_uid value: Security Finding.' + description: 'The event class name, as defined by class_uid value: Security Finding, User Inventory Info.' - name: class_uid type: keyword description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. @@ -1813,336 +112,6 @@ - name: count type: long description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -2157,6 +126,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword @@ -2170,111 +140,49 @@ - name: value type: keyword description: The value of the attribute to which the enriched data pertains. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: metadata + - name: kb_article_list type: group + description: The KB Article object contains metadata that describes the patch or update. fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider + - name: uid type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version + description: The unique identifier for the kb article. + - name: bulletin type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time + description: The kb article bulletin identifier. + - name: classification type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt + description: The vendors classification of the kb article. + - name: created_time + type: long + description: The date the kb article was released by the vendor. + - name: created_time_dt type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles + description: The date the kb article was released by the vendor. + - name: is_superseded + type: boolean + description: "The patch is superseded" + - name: severity type: keyword - description: The list of profiles used to create the event. - - name: sequence + description: The severity of the kb article. + - name: size type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid + description: The size in bytes for the kb article. + - name: src_url type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version + description: The kb article link from the source vendor. + - name: title type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' + description: The title of the kb article. + - name: os + type: flattened + description: The operating system the kb article applies. + - name: product + type: flattened + description: The product details the kb article applies. + - name: message + type: keyword + description: The description of the event, as defined by the event source. - name: observables type: group fields: @@ -2305,9 +213,38 @@ - name: value type: keyword description: The value associated with the observable attribute. + - name: prev_security_states + type: group + description: The previous security states of the device. + fields: + - name: state + type: keyword + description: The security state of the discovery. + - name: state_id + type: keyword + description: The security state of the managed entity. - name: raw_data type: flattened description: The event data as received from the event source. + - name: raw_data_keyword + type: match_only_text + description: The raw event data keyword as received from the event source. + - name: security_level + type: keyword + description: The current security level of the entity. + - name: security_level_id + type: integer + description: The current security level of the entity. + - name: security_states + type: group + description: The current security states of the device. + fields: + - name: state + type: keyword + description: The security state of the discovery. + - name: state_id + type: keyword + description: The security state of the managed entity. - name: severity type: keyword description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml new file mode 100644 index 000000000000..904fd937ffa0 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml @@ -0,0 +1,254 @@ +- name: ocsf + type: group + fields: + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/discovery/manifest.yml b/packages/amazon_security_lake/data_stream/discovery/manifest.yml index 378ed301c0b3..39d52c9c0dac 100644 --- a/packages/amazon_security_lake/data_stream/discovery/manifest.yml +++ b/packages/amazon_security_lake/data_stream/discovery/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Discovery Events dataset: amazon_security_lake.discovery type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/env.yml b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/env.yml new file mode 100644 index 000000000000..b795fcdeb2c1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/env.yml @@ -0,0 +1,9 @@ +version: '2.3' +services: + terraform: + environment: + - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} + - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} + - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} + - AWS_PROFILE=${AWS_PROFILE} + - AWS_REGION=${AWS_REGION:-us-east-1} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/application_lifecycle.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/application_lifecycle.parquet new file mode 100644 index 0000000000000000000000000000000000000000..a9e689098ce3efe7bb063eb8ce794f5a336614dc GIT binary patch literal 28930 zcmb_F4UiO9S~JTAHi1NvqdPr0%#FEAA9W-!JG%?B)EVvFWoJWRvuu{#W%UkwdU|(f znVs3p%Uekvk(sj4@&=;)xM4o)Hl-Mx=5vVvH#&m7@H< z@Ad0`J>5M$gmf*tJ@0+*`+MK}-h1Es-q5G@H%pDuSER43ml~wVU6IJ0kw_$0E>D}~ z_|{xutQ^l5i&IhrfEphFkj2t`Y5vmTJ3SzZw+Jvr8l*+Bw#fX&F=fG|SuX2irWBDI zuHqjsy2x={fGvLtgZ7Xa$VrVRs7dU#u4RVe($&By$5MXyXlGhky!6n@ksvcZ9c zRzPyGw3w5;zB7MfPc#zo&}-r~iv7kYHd>N5R&tX}>?h8MN9I>5QrG~zgN1K^S=-%rJ7eHSFCDZ(cGH!=x(79DBhw#krouEx7ci?T zhg9(K@Q7oA9>spcj}4MFia@O@fiuq!-{<%u!vKoiawEwT{_obx12~e1|}}bihr1 z5iB_>dciQa1Wi+)6>(6=3TXxJ^Unb{`P|reB~#oM&rHL@y*x#W695xe?w|7kQv3>i zrMn}CbI+&_;@Mv2bW}baRo7wH`r!#c?%$oMmNr*+rkY#o=+3ZK*2Euz+gIS*9f5=T z^RuE3PNYF1E5@hvQmz~?6ic)Ec8|ll%L}9Ulp#0vmX7l?zhsWl3LDmBr=swq z_MkENH1|j8ZwjlEZH73qSLw+*Od+h5HL^o+`-*v6c{)=tE5YMB1ZlmbK^;{anqoc+ z%RYTN3#$ghj8{r#A?x+yk}sIzU+gR40xCUeOo878i_{ZL%tIMO}fWRn-y*u98-9f_DQdvoN=P(u5sy zacd6#Vu#aTXIiprOwYCm!tgsTRTn^&Qiw|Z6S zvj=P&O{Ijfm}+iL)iD;sTCo8U1{I?5z%_gr-g>D+S1ghiapP(rb=54u2J{yG} zbqXbM;{!HRQi`iy0kja*%j=n9iJTQI+>6C5gkN=U>`DoOR03-Ny)bh-9OsK;j@BiV3fZZDQ{V>#f$*#aMFkdHK|6R3uI5Z6f^)bWt?5Ld_Nft_R` z2}}9*2b0YMiB)Ub+SepoRzPrZRWdQ+@hzXP0j$)j3=n(qWHFl?g_tmjy(P;QIM<@` zwWvCRlGnl+LJ%aaTCHV@l}d3E2JUn=jsftznZ;8N02KYF5mxmtVG3)+>N96 znrS!eY9VX`72P#6i{eWQ~8|1 z){^UUuo&5HZ=hhz&d*R-1T@V!t7rqrzK_yk0Kb5jjVP-i9d~g^0|}$b7^OkCzc%qcrh1gmV~K zWb4M;pS*?BHf3XR%BVl9R+6Gh?Gfx@PVxm){EHdeyi0Fm`m;x?xR$&ztZqf(jv98a zKH&>2RT}ZPo0Hq^acMK-1T4fxK&WbRFt-_bI8~i7<1-N9)-$mEj#qRDdH|^CV($(B zgfN^x1{a4Z76x#ik&AOf0FoNmfj^&ETgzy3Qd~}$?U_236Jf2`tR4mxByr$kA`D@@ zWI+{Gwr@}qkrno6~;uEWB@TCuJUgQ_K6 zpp}Iot(P>YLs&%IhP=Sz>6#{9qu6fXiPk;|8x{UsH(6sEZQrO6A;f& z8#x^$E9b@_4C|3d_J>mf%Kc;!k0Zq}@{MA4TMM7XJskVa<$|>+3;FupyX53Zon=7a z(qNgij4$pNgVYcs#=ty853;#3#Opn5Ev|-8JS8sWDYvt{*ezK&dCReL`n6gngWwey4Bm9_5Bw7>oh950p z|7f69=~ZZ{azi1<`iR8tY>4@!Tlk0 zdD4P~20XJDh}l`dHZlJM*;qh^tbkR_U5&YtR|TNDQbA*E$_USGwVAdPH9=~JNU zn<5$W&yf_G5wl_0h8DA7U;|?M=0>go{9OT z&j?MJnnJQrxSB%11hoDMBrsfkvqFT1EK4J1C3pxGK?xDDz>El?aUfO_KkU@s5J=qkH z)pI-;tLuDFKw9hME#^Pj+NXxLmi!ORz(Re`!vyNJZ7J;7$Fij`FoB+ZmIIEGAJYic zfd?wk+d*d}Lh}%5LgM~hnh-F7p3le#inGJW4v3u#_*n28{Dl=FxBItd6U6@P!x3NM~+m8HA%CnP;dAD*R zHooTqZ2VQI_VwS^HYUJ-TeTLFrE;${gL!AMrSh(MQm^%Txl!u3UUx6B0Z!j)1H8FV zf-b+mL_#`wmYT0oX$l^r?QIo zKJ2u7f4#KEDt@(B>abqV^+|hp!-E6T&soK12BrPHc*ltJ0)PMHYtk$HeNRR@#NW@E z4qHdYZThcFIP~`wY^^*$RG`SLSShr5dhg(l~|6SYn0=ywIE z-OoEjE*y?JmayY!)Y1Ao#~i5rzaN!KRu`Q9o>RX2#i*rgsUh}BZ_gsVR4UGHfn-Z_ zQkRxNR^j~-`?B=?k@a|#OJ&x@WnR<>V05!M(iTyy8+_7z43x5iI3VJqz_D0h-CY%n z;IgRr5u>r^J;w%NqfNX0@|&ZSu4PD2!HJehh{B^sMPHN{otvG2MRf-7zZ-vTQoDbRrH z!ii}tq5wYHq~5WUI7DD4SAv(~Fc4D|EW78K0?ZuT2k~N4=RBN`D1KxQgPAoJj(mAb zG++1mt5pM9XB$(g35Vm&40mYG&r58Dqf{afq6NFX19E5|QHV{fSU)c!^$Fp2OJA8!M1*~U#F2=6iqO9X=t1~rZu6qIPdRtc z_j8=SRek1G(17>5ALO?P)!{!T4V+)(LFN65hBp_gyB6N?mo&)l10hAe1cXWv_0W%b z2)Vy$;nh3TU3b*{t_6A5kFf8~os3HBBI@b8JP2_xP!F+9SQJLo70bg7ozerO3;AOI$kMFh-@*BeL^a++ebWK)| z$v5~V1M&}u_1%9Ol?pI`KJQDYN`?FHQ4hx~6^6yq+3`Ra6xj0H#K%X#2dePndwm(< zOCP~oJbADB%8$d4@dV|4;`Bh~W76yMe?~**&`;PSosUSqkg~`8nYjAhIE;Cixao1; zQa)usVc&abkGo!_o;&$P4+Yoa%qDZ?KK14MZp5`5CNi%vGMDbR$#4VVOFnz4XOr4{ zzxwuhd|DugI?g z{heSMPd;cfz&p*gN+r5%te;x0{_rc@P(zM0EJF=}0&ToY+?+ba4E5E7hnuRUG4aE$ zcAr|QUR!ZPm%HVi|Ap3c^)I5*L_~eA)kDm^*cN2JlvF=#=6){Z_{2KH3xNXJ4*)lc zeEu~i`bohAIAY2Hy8(T5wR&Xr4cvj2Under zfy5}xx;|Q??pec4CFDrQGL;Z0P}c=g*S^1G>iXoTJiPEt4KczJrapQ| zJ@ODttG;JK0Y^nZ>O&&+%4s&Ob~u#mT@qh~6D>@BeoIr2YMv{=@>B1l#U1~vsFaMT z?{(Rjy!T+8)eB4CyV$8d)%mGz>B`RmQAK_mh|WdS=hHQadc?Tctsd|8igA*}xbOoK zMAQo#YoHW2WrUNZ1)b|t zclLdX`=#>J|Bcct@&<1%|3 z*gI?zfZd)sGpJtM^eL}u%BM((6F~Bbi2B0M_>gq%--#@{Gr40#J+%2Vxiu-DCnjF} z+o*I9=E##}CESxy zkLx#en^4|!6;12f-(gTOqP{iia6q?a?BrQGe@|Zb z{c$%9kEc2^u6{h`XOsb>V*pLl8`fB zt4l(lK&oTFh$5c?MsPRu)^?i{pF3ZNwyPg)6Q_vRNQ$d((G;=g=iO~RE}YHXpUkO8 z=V0y*I9v`qbp~F~6R*$w6V2Txp0LUJ+_$>=4fWJFK<(}uSMmo;?dM7D`+q?Q4>^H7 z@(%10)YWgQPk-|!uR+PXKOhYQ&Ap)Ev%d&LdDf&DHzcwc`+?IG_1w-V?3?(BxAT_r zDFelPmq?ubXBrHbza>!c-dKVI8uiMPh@PLAJ8vnUGC=67AV~#p8-k`BY1C*AczwuwG{;?O6vQ+jFRwEdgm?W zQwI3oB}q>H3rTYQDFMI#bs#vXQg;BDbJFj;`RD!0JO7ua14iP#UlEig#BoUmHX*?I zmwI3?Xv#l9ARuo5WH|_g?vYPiq$y#?eu0oXGEB5^Nd|{&>i%y7B}y^iS9;_ZiQyyv zN{h1Bo_6rmxIY7DbLu-layTdlAuu@s7(YXd{}2em68y*kUxHPx503xTkADs5)s@h| zoL^Wz18{PgI5~TXIlp&)-IoK>)!WA7YI(iXk35r+m7fpE=$0f zu)6Co$Q_*BQ6upKh`vJ-9{vv&E!y+D9;#xDf$d-5=vh7fJ3uoaCnP9W1gKpnYDX^9 z4(7z~IqLMktpMlR>PyFN$a5X|KeV4i|4B-G^0*^T@I?bSF<0Ms0p#(dsCY9}K!)Q) z;Q~0yh0Kj{=+H>oMR%Q!8QPJ zwy(bM2OvSMv>5-aM*9kZd2ibG1b>!bij1;I>+gSbXbsC2P@Yv+ z;**$tRMWJL@DHCyG;LPv9Mjfe5&YG(4l0L_@LAIy#!pbh|H21s+BMq+e=1r+(|X2w zp>S;{d^WYsnzn9sEqpE`nm!`45k7Zq05aO7wn5XGN4SG!e2f3 zOKZhn#7a-s_LVDBoA5I>WX~o*WIbuB2Oc!dXz3p}3jL$mbiOh&*uFK3g^y4@$(zQ{ z^gK-Xw7x#j2QTB2Z-s)6xoo;Sksa*tVf+_J-vy| z!~M-hbNkkj;r?-bh~U?zK=q&qK#fYKr<3rd2j*6;Z0BXXXVznZksM5p46mEY_T-6= zN0Hy{B#JG6m$4DmM5xpFCr$Mv6(|;zHi7uJBK=_gJ2qiGvDULLKa$MPWPr^Hq_@pY zuVbSvzcz~Xvt%^0#$+l=%e>1S=W zhNjvvzB$=DlO1YHXz7Ur*e6Nt*h7-_5AxSd@;m*J9su~|8&RI%{^%rmNxpP@^Ki0l zJTtUOn-1ak@hbURLg42d`KC7yHCytLerAkGgAMg`Z#mO4Nd1-W8?LF}POP6rQ9(Z~ z{ZrY=e8L=Tw{brf(*99uU&QtknRNFYj3KLSN1}Z+VEptBH2aJn(*NdUcVc8HJ7W~` zquHT6$)G(l2k%3*G8--e~|7S&!z_pnU-~J zydQz)#&+-*zW$)6E9oN-4JGgcv*6b(9yF~V`Q1hmRE?L;t%$#RymX=|rn@J=KPL6z ze&7dm(lY_{YWY{HhxtL%Ec$kTP7!^g!t5PjME{V-dgdSIMutc72HFFGgMNTNXOJLv zt#_8(7>+NPO#p5LKX=Wdf3rTrTNe#A(nky7pJ=Jce;@Hr{xmx|I6abX-_HA?w+}k0 zhJRa!^|Q!uM|ty5TLE5RJkKG$u<=fVp8Rh&^0$0#du{)lz^w+?*3Kx=J%4xs#Gx(3XVI_gBz%FAo| zGtIzyN4}1Ywc$H7tgn{O?3<|BUpm&a{u1OPe>QHwy5e!HpCf*4d+pN4u$ySrVd8pZ zEv^H)XgocRpgq+8)QI|XJ?dxWSZ)5hNIp_hx_M?KouAZ)2Dc7_Ps|Jrj*bvcFr~gi zO?f)7p7~So$N7Rj1oJ?5dqTH-b$>|vUTTk~*ip_Tv!h1Ox*71vur6UUb2g;?2(?F3 zXYDhS-IWnk2dosA!_Z*+aU& zHT|7d#QN&-P2(%woQJjdR#-!ilh8d~z)w5ble4}`Y(m|vMJsxABNTVGqHmd?{RMv3 zQuw)xeMYpixXf%v^XsPhq=**S4iyN3{eizn@E1+mY`-(r2c6K4^lQwI8>pWA2d*)O zlilU4))gXu7s*fit)AZI&692UY_~P9cMiZ(xCXrrswew4CI`VMV4rntSn2h@X-8jL z3hUYYpPw6U>A*Q-2KuiI^M7r6X{x9F71(Y9>|}EDP;Y*?1?MSv9tml`j_PsGskz!) zYg(;0r2Ph}r(S~gxG$UDoE&u4bJ_$VIR^XOC_Ytb26*l+_EkY<0L;K%n4fW0Ltgf zUvD3nvWGt!|FplM^`JHYLo;-JG541w1P z9!2k{p8sh-^LR-6Nor61Rm`;XCLI6PwW+pzU2C!4S>JTEhQJpI9!aJ1XrKnT!y5B} zwgKzOG}8SunW63}+@JTun69P2UaV*9A!q-ZhHyYF`|qauYX6=_;~Pm2!X6*D@ttFU zgw6ltw6Rv}Bqs=i4#pLJe_lL3ZB`yEmE+cbBoJ?H S$N!8V@{N{Aq!0f0!~X~7dRS z{_v;2`@D#V5fLe3L_|bHM5L4(5s@NNY$-)b5s}7-5s`}&5iuenVtwCPvu9@QJ$s*= zq?F?Om=7eg_sm{v&6+i9X4cHCHKF9bTNClbwTWxTCvp=x*X88Ia^z1U2k+xI#Yk)#Ig&Rq5J>cy(1nV@_dts;sI3&qU#ZSaLzk9VjRafCfcxPrO}G)E9V4 z1Vu&Ff?pP0eOac%A0la-l!3;Ax^#6_*{pbZs-cX?+!#x4jJbCSGCA-7CXjq%;zmXC z)j&P6rmi|YE0ro5U7v2Mv#7q>pYH^oBWbVfn)dt(fzi}pXDqoh=DuIlAb`cjYO_8y zvlKN+4J=F7Se59@G9CW#+Q}~{PuG-+)<$3BO%RO{q~DOZK{Y{dkbrJQP0(Nw-dkrm zCi&Wljt9Em9fIcufe#nRC3O%d%@han`c!GT=zcTms~XXX6Ge%ln^DSBQTg=RiHlMw zlqdcdQYVbZV|lv&HD@ayed_9=(5h1vDX({e)$!zt82(AM;YSEUoP?veTL|n`wT-Fz z+R|!^xrHjn(J2%UR~OlfbK|T!so5lnLj`L!e2xi}UZ1#LQCa}h74>zu4!+f*vp~Lg zyuYuV#=ItPa9A8mE{?f_1&J0CkcWm<jvs}TN+C)RpU}L6uZ>`M7Elrk^=eO@&5Ypi}?k{bb()q_~XgPJpm7X2$ac0Qng1f zK$?-7I;FHujDdcfy}S%ZCHz>g^|01XPd}C_pE7k84F;0!Lj>E^XY6}m2#mvnni}c{ zO|7aOq-GC(8m{)|JAr3EMM+6fU46PN)zC1otfqWQbyclYOY36Eb!wFD3MQyzv(nlB z=czJ*$Kp?+%5ii`(xYajHw5Ux*w6@0HCB0(Kr>0TAr)(w9J-&foEJAnP^NO6LY4AU zR^+E_8U~tyrDcL^;q)me241m-Y~Il%Ixq}9ny#!JSe~}~R-wvqbV|~wX3g)8q*2UY z%gWMCwT-5~&5I@H#aub;ghBRmPK@VG4XJvoP2=LNL%(}KjUEJRleM(`nB;@!r$Mc0 zEE+!x+QzEV>M4pOuFP!6AS*DIu-UKGs(k((oQ$)v;`l75PR9znb{K=x-JT? zW}z=Ir5rDQ!SsngSS8)8OrB~zo|DM+Y={|$((3Zkx+!&7{CKvz@yYS-04UZwu&Te5 z>N0xTh$&fjG-Y6kJyII6iiW4_?PW+mp6mFY{L1{sOv*f6UtuVevLhGOnV^Gr{Sy7u z@F`3rV;?|E`IjiUV;^wv-%m@%<`T4|o6OKMH96INw-^UCD4+-!ebY^0^PPNp?Z`iV z3NjAG9tCQi)0k}ZEWLhsAR{mf#D`&Y6v+3E_t#I!KX=tGiVU-84T1w9Y(>`n*?UI8 z)hgxnowa9V!=;|BV^tm6PV&7|ApiQ?=^dHc$!?<{D6~QE3qu7jGT< zEjg!__F>bLvUKgVDsKUXjXYwX>5v?fAG^@X;>W^XsB#>g66H+$g-!kgRM-n>8)&fx z&k^~FRQ4U4NR`8_JeZ?Nb zQ9Y}+%vDxx`6Qc53C&wVx|`kx79Es=T)ImWsg1-hIHGTfAB(&~mE-6XiUkPt z43T5HBCww(PziiXEZGwCcF=81#TqBa4$1=y^U|qh<+l#GZKzGX%5e%+%BEgzS$9Q! z{`Au7CVTTq0p=(`NNyrmOtW+3$%0tSi3vkoERoayT{#8)odF?jS=BJ5VO9f<0Z{V| zO~T6f?~}YQQR#Ol-mRvH*8&tw>DZ#CjrBn@Z)vdA;1Ea3X{=xk#_FxsHeAvG@3_7 zsD28FDQ!Ir3~8xCmE-7?zh%O7Qs_D;3=o*zok}_(l}yj56-I0*m4F5g)KKks*e$Gb zoI;iI*D$Pw>q_fkD4jAbU0v>B=f*JwheJeFZ%W*xddZuBLY0#HK4Hv%lU2mAU-^j* zYmU0oMsz`NXj=^b+)<*B*lqhn{X9Fu0b_M+%@6dCGUOj zDExo#u#$hZTI!lW0Vnvv&x)|+Uqh;_3B%B=DPq_ZgRwVy%L5$41ZRRkL$H7=FjXkh z#q9aM`%5fx^YGFUzp@~!s-m{Ev8f(gP`+`pGFj>E-x^pz&K80_-$MDIlt`th+u@prb3m2T{N$ZWSH7RygehKWvTi`C|is+H~|zrD^#Ej z5^Udj=*&Bi=i~0|wx8976RmQf#=SCrqKmU8IyJMds-DKm&}~rvSm^gUt;2nV%qP zGzExL8m$j#(TiVOvGp-|4ol-BHe(xdje`scdP!?PUp)!3I0~B>E_+6yuIiX#Q4?-Ri`| z5iTZr*>j7ZmikcgL#`_%&w~g&Z1_^sb_;)(3xv$$Y=$9Ap@i!9&fh@wdnxlSOyQKL zriZm&fqd_HfBj4gI~ZW51NbskoyPu(J{Vv+K@ch!7Z4|*_N9Tr-*(Ebzzqzn9dF4f zPUTfN7}^+^FmZYEurlEOCRK}iyGd0JU)u9EUuFRd5@ye!Z1_DeC-_;ZjR<_L&pSnC zG4yCQW(2;R!C*l)3=Z1Q${car7C$yCRSxD@UKvr&SRljJD-BhTOIwDSbE=OG7);+h zfaYCTUx=`|6?oP*@2?~(lbuZ)8jRovLHK#1rpY!>RF0WI`*{+!ih9kvBY`d{?3ZCW zqL-K9sDz(0f%AoA1r5{XHWV-?ux65nVEtmu&Z%^mlJRE&W9J)pZzt1D)WmV;l{Nv|w zpi79e>J?(mN-JoyPw58$@NBeF5@w<8@?c$n(;B(0#1sxA#gWUv_b1*z9t4VAelfKi z)F4i~R@GKDifbr-8wV)Hi86MpAaLB(>0`de$71=Cmn(k9bJ-n(;)K5e#TnSrij=(M z13t!+Z87|FKP1{OBLlA)cN$XQueyb!< zLC;p^okkUu?EF~qPC16K~HU39HGX0 z-h<=ftwX>4+zrTHLuqaK)bvcMx7p3(A9s_zLHIbbtZu9YOrWe9>iDu%jnG5PLRb`E z1ADxV7n>nk&iX0 z8XatTQ#oeb@Hgq3Wj}6^VvSpUIOI;9$IJ$85RpR&{$pWn|k*e6N)|&w`NcE|jw77DKPOgB-kHDS4c5V=uP1f`}d22NQ$vVr=E^S$jz^{U3 zxEE$2*QP#xdY>T*z=B8wCOdVF4TEeeP(HnOBm^&>Rdh0C5B>i-F)CB8uUCoD^73Dv3PY|< z3T9f!?_QzqOdYB*&*Fc!OFCb@U$Z$OV1n<-)hMrH`sh-UVT>%V+f68Ml0)dl;QPj3 zeDah9QFO)MbMkZx5qkw*Yw`vjBJWDQ#l+kD@8Hr>6uDQ_9i=EDuY@Z}QM6qlH;|&p zi|cVpZYW+x#};FvXv+3}Q4jB~c&D>Td$5~DSd2C_PAS7k;q3&6URz;n5(@1glxA4!TG0&!dy8HQ)Elx z;^M7Czx^cqleD*3l2%bQJymNiMwmG&2joXS`^lR=B!FAU3snv*EM6H&gfcREXDlru zDy!;o#y7-Uga^gIgPp~CM|Q@59NtgIn2SovVa0^YFPyv*M*vX|Zri;+tdtY_*3ZnS zdOVt*ifS}g%OyO&_uU;#pfa#56H}X8B!2>@i+bxU$0R{)_<^rt&t_sZKy~TVR5kA} z(rueuvxTDw$V88Qhj`~VLr8)WrVWZv$*@jHL|WizV@LYk6E57u%98GCmD#st+~mqxo(}7i+M-eQrL}MrSeCXl$5p;;$N%VOo_AT-7M8TUIx(Lxf!s7)hty(nL}Jcq&Wr>k(V;oH#k&6|51ktH zt6}e-aM5XadD$a7K(c>BxKNdF3RM{p8r*E{BQK2?dyZlJY;G5jN+ zV@?RZ;*fVV)&x#CJQ#K=950O>xPt)(E(Y}382I5Ux_27R zM%$a0eOac%AN*8xDWdxJ8P{sju+f+SYjyDQ5iE1UkykVyU{+7pPN{=IybAV2pG924 zvKgVyK90SAg4F@~vP_3R_!$v3PpejawWAOn6>X5dh1|uMA+Xw^XauC z|M)5DQn2f=R>8T|vUItebQoK=A1F`;u5T&2C)B5><36fAJ-Rkn!m-}?iS-;=MYk%p zL_JjCA-~F%4JOneaCmt*4%bXe*Vk6r8n2JZb6DC>Z{*ZNHFtfgLhZTpGs{u1L1Exr z@S~-*sev`6wK$bx^S2+*#l>(|)=y`Y5O{!XGdDjH%)thcfMB+a6^jbdc9wkle0zy4 zIJFC&En(WUV3rpGk#axgC!^;k@F=YkW$Lp+aRflV9lAgyraZox% zcSk8Gp6m4EPyT8|DSlNAziFOpCk``+0n`Q@jd_GNMESDz=Q~&XpFwl@vUp5aGS#)& z-jB(~+*Mcb8^|(sg-cL{9+~n38?-f2W-v7iSR@Knj-ykTi1GRWBR5coVFR=8NZc_V z7vIHMR57fjB|Tzq-(`0YcR@{I$6! zi(2F=LWNJRKwo}6J(P9TmV%tu-AP$j1HDItn(diY-0R_|ENb1u8%R-Nj%ZwJS7lwv zvsOQ^@1mhAW?bsU0(ld&=jPH;88nv6hiYW&tf;*%)nImGNhk&y^j~24|0rgDQ#=5n ze#@>6mT;^$ek!}-B&gH})A-^)8$6(&tyE{v{Puqe+|cR%HAJDx!H$tvM$)KuprTA& z8GX5UkPJ-hHCXS+G8iyW3~Q>YhSjm6DCBmv$#eRcw4_$8ucJ7cCUYNlN2Cdvh9GXB zF!21a!L5MpGR&E99$q@)m!FuZU5|z)MBnfny&IFIfdQm}xs2N2u$xciaDT(RBV5Dm zh8iiq#25wu1iUWeoOgtsR-%`AOyh^@F3b4E&w*XmvC2DCs+nx7x=TGSaT&WzV-T<8 z>oVThN2xu>nBfjGuV&rMX87guhsn9Z#|~~kcvS7?!t-X(wc?cW{fIsJ}lNC%sU#)StIq_CY^ujZZ=&j?$P4MYL!Bj zj|vwEP{z7Np!89@95fi%s#$8X?f~YH+-~v{7E!nUtKw{f7sp z$fHx~u@j0$>d#SOzdhsHU1LnLXkxHHWVy7ZJr9vzZy4zt051`4P;`PKb8-jkp3 zt9;px|FJtH7y7pJq~|#q>@hP25FD5kn#pW{$?!-hr@6v6p-gp$!tisg3KEA2nr=?q ztTqB*In42$!nnCeZuI*(d7WLx33=BYikUN~_E@q#=8h32!VsY0h)|8%M6IgEZNN;! zk(wD7!NCCz7vfB3QK^h%Sv0LaT~p+%$3UxZ-_`>lPES4pz0h209O+eq8(G*rCB@a8 zmu${+=f?y)dIGwK^w_dmmaY%KB~_?$9G&vl$Eis*mJ0QQL&o*>scPvFP7PChB@+e- zlmxoDJRs*asnuv#`LZ4Vqo1%hYr^0I2tF_MfdW3S$qWwE1zbIPBmKW!0h`Wga1 zzTX}Aes!akF&53C3mh&=X0$^mx+D=RhbD%qX`yh%QdXC`Yf$N3-kF@cfJJ(6Mg{mF zoeVGMM7;MixW5)h5BxwtGiCufznvf^bP?d9(SXc=qLst`C`4<3k7bMDUif)0TZNzZ z9{p6m&7yjm1Zt)mTM;YI;85D2ha% zg?*sjl71@9=&EEvi9Po*5e^5W3``7E`cD`ZD;pc@8txi2$Wwq=kss?n^1$JFW5ZRTjiaqdFIj=Eh*f!M zZ6mzBSW@3xXE`S67Z$T5lx6i5R^AiC!GJY^0Wmc_a_#NqV9o5M{ABdg9ZhKhZbMPu z@ULH!T$V^(00jY zp*{FS?rML&6L=PFWp*73MPa>3$Y(uWK>^mlQRtdfc~z4=u`H199q(@de*Xc@B(G9s`8ci9tApQYTRE{xz$*L;@S|40ztZy_{7(p znRnF1-kx~7l0o5B1LldUTB(06s`|1_hd=nGsW%O6+J3^XnnwfhOUWx<^d^ghLY3p_ zl%Fw$gj}s5Oas~96>A6_7U<})ALhcQ+8RX4OqG+4i3~UpnDK~{Z$0yn`6gjUvM&wu zg_8pA6si<8I+MZfUl#VG)$=N|izdjr)K`M9_tlk8o=h8eLlFeV_MZ5|yw*pNk~lNQ zziyr|-%NqwY>j^eUF9=Oqoa4)K#ZvrBYGX zY5n;y9{S2dfr`nYci@ig)sK;_+x4YcKRg?LSEA=%EN2qEtO@PW)!2YtE#Ek5euQSLuU2VLP%!9B8%NQXPtEm#O0Zbh&VEZ!Z|xVS3|n&{?hAvJM4&VsH~ z+N~RQy)~Yc3uZbD=m!nL0v$nJDg{mcHZ4>+*<5b52@5~_7X}kF1#~-IQMDs$%B!ol zdRJIQNV=?LEBc};0|!C^8)ai3u=GRj*asZ^2XdyY29Qo*H&ZX8AIrDdxFJS9zmaCV zwY^nd5)YO(4Ogu1O1r7d7{j+1j=!N^D{Y1^ zSNT>;qAsha${Q^7e{Vi2?HXM1-YMT=G2J@r$A`Vw*DqyJ2r*ZzM@q*g_W!58C?jfm z<$0mB71$f&fAa0NXejq)SC;3=f6hSYmFRQwU76^;BD_uhQzi=E06&u%MDdb)n0$A1 z-QO7BlJ;y$?II4m>|P}^i0+l-Px777ZHV2DE6I~&$Yen&*(=0{q}}Aoc?b-SBKV#; z+RE?h3f~;cf#s$49@#ZXm&r(M>xv+6UKhi0h!dDh9wTqGdP9)P2xIc=;VbfAB8kb$ z!2G&tl8lMw`)l?(Z>rY-RRzQnZ)D)1$pqP)bv8|8zrNzAnD6 z?4_k5@iKeDif*~f;ukA=fWE9=vh4K-Zw`B2c&UA6MN8~un!-mj;8IWBd*Z**-tSS( zV>itk;khxId!X+P_t|KhjWS*}wmdW9n5gxRj$>f2S)F0)gRNBKHPPCpVjdd(9u@fp ztj)zY#80DbA-|j+8hg{iOOI1o97=gz#wT*4Fz_;uMe=CZWf^zm$)w9V#`L3>6)0_` zg}1c(EC0Usvw~8JF4Nc{EB3mK6W#Q?SV%0k*?YM>E=o>tozLf)k7n?-*#Awr{mnsY zmQ3XIhpz$3_AcO;NdHs))kS&lnH9`0t*%bb=mNK< z#)|SIV}R#7*r>@iC$;*sQ(FuQotOf(GjL-A*V*)k`tTCiq0St!Z0{sde|40IWqEEE zC#0*Z%4YRfJ`&|4D^^gKu12>51esu2d2l1t-x0sr%f4erOenfvx`ab@*%K>NP*pBY zasa4Iu&iD)Qd6hkq;h{prC8?GxSn1=XlhlhxT;=N3%2`Tu%i0f1{kAG>&KGXvQw z$+LwVij&XCR!Npk!HW9JbHwbmz9)dM)PY}?T_BI$qSi9Ovbzo%%LL2np(IIV4S+Ji0QM8&O0h@btrq0-M^>z`w|9*J zOi)Rd?W=V(6X=d7`hmPyYLt??&;{Ts$$;zri0ok33~Mk?Q#F*;SJjCsjVJH1@{xh< zb^n->TZY_z2l|kgVwr{FY^wMHPL<@@rBlnwaZ7zDvQ?60#{^k1_TpM-DCkYPXFO=; zEe)0Z9qSbTRF^tCI>`7>5d#8bo=OROK;dzDd24YLnpF@6-oj2(B4% z*MxVMy!XAM@c+HTO8&LK6MUn-2D-fa?k|zQ*-NbuL1Kt*)ZxXEt1V+f4mta|0_Mcv5 zsrp752vv%~h@nC;Ozup#Qk?~rQAw6vP@bAD2UVG1S*k<44qc-#r;z%U;IK+E%mu2~ zdI^@L#QKw^hD3L6Lt|Mp)M>JmBdgP@$5lJUUan7B}gXA7BKoUp z{IGu5!#RI}JV%dlOC}Twp>4z(!282q7tVh2rVn}ALnT@E_4m(efWPOWlJXj8OL(9v zMc`$uJ;GkI&wA^_)sS|bW(BmG06#)BMqfR*Ed$N`iNVM+P<;PvBgHGwVeR4fuLI+Q z&m)fd5^VMdM-M);f;uiaIG}=+vuqLk8$%EI4A)A4$KVEASO{(QrKJ>kz-oM@W+MtA`<;nbk@>GHPo7=&-4*M!pcJs5n2V!iojrj$(##x9>m*E1DJ6`X~h?&D%J_ zc?;cQUeri5eUB_qg4HTsql6jOe|&X~u6mY}>ktKdxmW0-+O$IFLS#iaLthcn?GKcu zIj=XCgc9`jm{`NGT_bcQzP+R&h%j5w68O!&`-c@o=-~(94nPO%2|jafsaQ8?1eIjj zo=Jkdo-}9+g?wbibPyOoQ88k8wps-tTP1n6ill;UmE_qOX2D^d&59xdF_g~DcrX$z zM1Id^U{$~onl7jVXn;(0`kav&5@Mo%Sd0nwNl(Hs^zTs|28L9}RzNjWm;{!66|L{4 zctH`s4&O5?7>qUm%gK1MUyW2=?pa~&{2xe_Cx4c0uX@88Ry(=}5ap_#0U_t}nBqzQ z^t##nKH*Uzu}#E0%IkvGxSn~aw`mqDHZ_}LNkw94l`@nExKJnD5w8^*K}CihgX{=r z(UBPpvfm9fm?@ill=2#_nW!xo=5e-vsLNRfHQ+i{Y^%*Ig{Om5k@7vO;fJzDd0WNg zO?zh5Uuc~QUWcex)(aTF$PG>U__H-R(aZG7QR*j0Sl`+IXI<+ z4>wjwJDCCu<%5c4M_Kul-3ec*B>zf`8yH^1ANIP7+Wuo}lx_P%9F-FUz687UM*u=r zNZRg%*8PVG3QWk{4Y|?jA0{ZRn7PsEA10{K>4s-{`iBY1%wo0O3El1=CMY&|_Rz>F zEl>Y2K^Y0V!VcmLNDfWhC-!Cg4@e%)O-%EW7vqUXyyW^`iRoT)X`jTLn3rC4m43bC z+C;7Q_QG|E|MZgk5{XB>jGh?o3_spskv4XtCi zd3|z}u71Z@UHx6-b@i9utI0e)QCD=?1Bt;NL319`fHzFi1x`;++~pNG{-MMuFL~|} zP4V1PU8RdtHH2L$UEpwq2Dai+UEoBue!D8IA*}eYDbS#kEz>oTr)KESmOrkgqy4{h z-46Y?PM-K^EHTt0c>l*@iFz-+dR|O}KG+=7uvgDF?^i4^?@xT1yx|rOZ=Bd=j@kF9hd&plt0yO_`LbB`L?aYz+ZR7lsW!O zQ)cBcliq#Y(7EA+DS!AC183K7O!-s4HR&~H%(q)QO?uB+Q>N{lk+)NSGU<7LHtB;G zOj~zeG<7`os)2cAcCK#66LWI4COSViSIh03PvmOeo@h4jSAHs2%f_-#8#o(2ldEOy z*b})%ZyZ=+K0evPG7f$rS4;Yu<+)nAPp!z+I%VZoa<#PX|7xz5*5hBx)mr1g*A0T^ zb-B8?&0e3ISf-Ts+NTWJoBzjDZR5Ah$BQ;I>RP^QC~AA!6l&dW>bd5b+{7M*Va0O> z_1x#pz;g5jlis~IH&N{gG@nT1?wM zm#4*d?NU=_@3K72txaDtWtvy!Y0hn5m8V;yb+sw8ZH=L)eJ!JBouOyNdV_2J21C!0 zrwp9tR#WEUw+ze;oAdM_vv-Rre|D=WGxvMuearVvdgU`Fz3~Su{ajw+-#sZ?{Cr+w zzG}(2d-4(=@iGqYH4U@$r99KzCl2H#UR7Ugdf9+I@KZzT;=_5mzaH)|WsV*(Y}|a* zkg@QX!M6UmVbQV^24>qy(@e{MYv7zcZQw8Xy@7eC)4X5x$2_BP=ASnihcB@DpZcr8 z);c?`h2_~faozYE=f<_rt(q4%P}hGlZaBGqL0oIiLkr`Ys|TNmYjJN`VxV69TwFJE z%Tj}R=Q0E5;BxbR*9!CP+LZ?WnN7%W2*5cnb z8O>Ybx^Er%t|92$(yh*pdVA35wG?VUQFPitK zUP34gPfoY}$h_bBWAlE=Pt5xrFB_sa{4}n|w#`2?@Q?hQwdKwu=Hq=wS;qSRjq5R~ z^Ve}L5VPja|76M>`LhQTq2VunDsN1`()#-J z3IhnmD2byer4)tAd>)oKQ}pAKqN0--w&R@5&iJ04wX;bDZn(K8;uuO^uZZ z!2CGf*=R`QCJM&?yC@KM;?+2_n8?k!J=Xzj39PU@RaVtdm98~##05B9l}q%ICE~)J zpvlcAk3ETgb|w+$xxw+u(<|~cV*oH8E@8ys6OiZoUfd?-FND(){>%{&#$bV7UVuUV z(bbY$xR*!H+IW^=Fc>Ma0+_D#a%!iiA45Fysk8WJNtr3mmE&CWz_Ob1Db-cAnsU*Y zHw20>zuvO7i~I$|g#Zy;1n|7@=aTL3jw~hwfcc=~^kwxC=e3~t-?G8vUH6r={Yy4q z1o(PWrf>XC(0GmBndvj>n~WECGZi;J!1yQc%Jhl$y5)U=KA4dr>FX*?=&46uDP1ZT z9WY}fGB-Ze+n`#g&qYfvM3N~gDtu!mw&L!f^+85@#0Tjnimc1qE@N|h-vs3FpSz+f zP(EX&gIy^ja9|dZwrInh+xW7n;KIMvMs~#BcO9#Y3(eF z%V82#ZRuy<%PPi+5rH$q9j!o>7}(V8UpsE3JoQOqrIhE>G1f zW{7!BSR0AJ>8earV~bN+O=XRyvBNsPIv_Yjw7R%ooA%)j{iLd*7SRgpF#?A*@V|ys zzrp@QOY`j+%Zm$=Rnx>x+tfgkUOnE6o=}|ix2c(RRk)Ud2_1!f6!XID5l=%z^;CTw z0;@N^UQ#a_dQjH2scL9w@(alwS$~UjIZ!`SYMW}N`aulN9z@gBM^j~5eG1xd&idnk zp3WX?V6rOOKeMd)U15By#{E!C1d5vt140rjp3akbM1m(YK@q= zUfyT8&f4UgMTaShhN{O?QelSW26biFnBg0N19N#AR07NjgAr)DTr|boLwGt9$Em#m z*J!N(-NMO9g$P@#)Sr-p08U*-FcdvK;m0LbAEgzkunDJcm4z<@qfB+Wv>XZu<3bZ+ zp?3*@=5*Kjkq1YM00wUq@D@vw3!;W^@18r-iVADCBIO)o0_W?5-*PZlI2)D&EZ zOM<)x*Ezn~kLc+hTUh~b-WBZI-egJ@Wa9*2Ht6*~*&IApg_IT7lW|oOh&^kADuY=| z&9qXPRLWixdkmr6@FlRSaC|c+s zO48R3IP2 zSI=6P=^GtPCzQ*5Aia)rfd;oo@%(`e!_d!fK7{G&**RP8KdnD9@c=u>`eqYS#)eis~jqL?1U=Npf_ zC56R|;75Tm%3D%Ieil7$d6uHcFYU1`s>di2jaud0k7{N0Rmhmv6={Dbx@uN7 zHX2c|chNAVNpa&c>^F9?dhI-DEdC_aw2oRJTZ(T$xAWTNQ<$%r) z*#zM8+wivcCj1&mfVZ5!V4Lz!eeHKOt5g6U|0d8bg4tII3n0wNenY!xv3@!SpUHu+ zPg!+oLxayGFG}{7uc?@L&SwkC!ty3*9+d0L!c=X!HWcDDe&GNeoZ%?%+%{8k@KZy7BLS13bi5}Bh`1J`KK*-nE6 z!>%)5r7NaX3)3Fw-J5*b!48)2<%Tuc^}Z7Rnv$)+SD->!t-*wA`Ij&&cf|pMW?CRb z5t&SEx4>^Cth>S2MDrn zKxD~))D%S)3~*H7H;tmGtS+ssP_+y%5v0t9!FN&w4AX83OMvFLS~NG+S5JY{D{K;Q zVr(Yh`fYi--r}q2#tNgq@{k!LttcXluHi!CJ0c>Q-F(-O`fyXKw#>5yn~o?ix(C<6 z{d64zl{dm`(bzXV6~>?GrBfrQQ(96mnX5%quTOoduBnmKSE5iV;6CuGn8KN#biGG% zsN&400*dRR#)b4o8`6E6Rpj^bjYqbgEfn|Ag-%sK1-Wpef$Fk#sDRX0z0^BdeHt1| z>l@{;LH()#FB+Q~IHt#B*HQ8b$INk$fEfA*W!@ z(U5{|R8ZTSs>mf@lr5yUXihm!6*kq@z=v(B+>BLkqM<%&QRUASz&MfD`@Z$@SOzRm zU<2~>X8JCAvD26G?Iq1M^gevyay8|JEKek`zmr9XXh}PyOIaF5oH9&A%+{S~Tst(5 zfA34IXzVg!rZ*d9e4$E z%*H9wvx4lBqVjfN6j~{kY5Q1)LVhEf&73gvnH{%ATYG|rGdqlwDQcU{?7*q4bk@c) zJA@a5VwuS@R3>O3v%{%sz+t8_TP9g?pHVDBy(7$FcKAsR8>6*l2n!LUXcL%Cjaup| zh0683kgcx22J|<#UOP;xSi3PY?{adICsy=IT%X+i7u=D^ zad+koNc8i7`>!Mr_|>uG>X>^t*Iki2V3Ow-&Wlc@+{Ag00DKXElgW7(aZw`2ZO_+$ z$AsQ#pnD8C`sMHHpY@0WA6H1ZfC)ONjzMVFLn~JttD*p|B9O)IqtH)8e3)8*yQC3gL7vrxijW2 z?c=uf9xy2oqb3-N37EG7vy(gs%n#+bORw%eW;=-Ss;k@+{ZQYO^iKy1T#YZb6R;kl z`mTGG>O1F6-N#C+WF|CAu5~-E88FE>hhl!BfbSIHI}3cnAS`dz_?oljFS~&vMG3g$ zNg18%!gcPp>mWho{nsH^R6sdrr4XRaf5T;^9Cu4nqs+cZg$AW6N;LZt?y|&yNjj93 z32FswO9|U?U_&>X-M{rF})+L7{F5QLSdjlCxv(`FFVc-Z5a3aCu1azkuKjA?N^tn{wPa z|Ev)>p3PrfC?Y6JW67m4clA5nlmCQ1#A1Z`0)_$VysroWYo1debjF-_8L0ldNCfop ztKvjWE* z`C6awh#~CAP41?fFo-GtWhPY|@($QK2;0)R1)_Hyzr|n+JFJe?hq-&DaW1*VJ#jN| zD!-~GRUGmTIL{K!LlWnP!G?=j-O18jO$GoxJjh);2)aW#B{c2{foc9KAxKL;PPN-J zq??$uma0wGy3Iq}!?zBYL{6EcpF_Z3N$?K<{y?aVp@w_jVFauM>Gm7DxyG)fdGkok z$VEflW4Co@2C|vZ&z?us+w>k&y^I%x)EW}gPC_ku(8)X8t#_aYArB!;RH!=Ca4(_Q z4ixA?2k$f}!VXnS`9KZ*rai(URmi+M-GjyGTcUtKq!Pe%lrWtICiJak|86ja-Ko)- zJs@x1b>LPUx?PH2F^S z_~zZvWZi7eL+-u@qqzl7ogc)cQ8~XJj!2aLK$NJ@ zX~H)D(==&Z`+pm38JWZ^Erf7ta;kfJvb$^YfJyKMD*{>q^xUrr!D<6&H^*K7{}|92 z)uLJ76XeEZqkH^A?v@WhZYdz97Z(%oml6C|0Uztm9a9W^@9j`6z)?s34y7{9N~jPV)C4vy^? zr@H&6c4urqOlX&UMvB!mQ=PDTpn8ztoZ6LgTTK<_hJsU_1o{9#qoZxFG@vuq z$g@&0fjwN|uB?E-im8{1J?alV3S`Y|gj6*zB7r^gs9|5=28x^_>6<`=M$BkeJnD8< zfpIEasYw-wyaU1&gzyj$qCf7bF|`Y09KXlQYIdU9U0>Z*SKLI1mOMcu)~ zcR+lE5HDIxyxZDn5Qp-Po%Ywwb)v!D)&P`QFF?)_%6$^$uIWbW2bMb|AGGF4!^3zo zHz^c-%XIfblT`EzzAof!!DmU)@0)2_BXE<9;D~)C*4(FNxEp8a<+{8PtCs8X3A|ZF z2sQx0Jy?|fAB|v4;7$`Ekawl!EXv%7CX{lTx*T)vS(pfm5T=M;tAp19(H25<5r{Am ze)j*>jnE|`-z96p)e=j##N77(ayR@J+Qf@EiBkb8RjgCy9VpmG6l`8XVz6U2?53V+ zvr7`>(F(@eL;vlr`fm)KD!i@*uKbcg{65hXT`g#tE1-+Q5OPyWnH70h6qlzIK#fAY8nb z%!@$y2xjrzxEwa%_{{f&R46z2>2%M3Jl385vX0QUwou#5{UqwCrb(IZvJ*zpW8e+c z-O?QMCPxJ83}9h$bZ$Q5Sy-nDEWF`M)I9_IlMp*XhAlQxi@~0Dg1z|jMCZN*jLyiL z@|sAvCUxiF6Pm$w5}^G61R}RCWJHGX*>|6w0LqmTJe<0lJ}szK1{f1F8Pv}IhG@)A zN$rv+7?Lnfh|^;Pds{5IE#|IR6m#1?1K4(S<&YrEz_yC8ZCqNAn2IUmXBlt8lpcD4 zIGv}t1E;L+vx`0MY$Z^Ozd+ns_c=y**sLw&-amnr)_iz)buWOLNx>-3R@i6M;Q%4t z1jLhb+_ukmh1hllK!_`ol`fpgx@TH|Rz#4dFwy{jlE5!qMux=`UjTTub(8s)w02Iw z$3eKLbx$r8-An~UF{y~nojL1-Kx_ei%p$ffXZUZIr??6r~ zk+bQG#F|yBOv{hSo;BRJLg*+dcd+0$*lqa=L_>!7_9A_QhCM_>CuqQ0V#(JGOI{NV zQ3EJk7Q3&0RWM0K6E~^ikar;PC=s}NIWcM5+DpVFHoU?+D)ayxD7)*v4hDIl%wf5s zkmjJ^0#R@j6kwLW=9`9sZhM>{VUhUYq}g4v4)|DXbcdyZckwqx&sqAVg2bpC_t=vR z?;Tn99G|xeLNAPz@CxmoTrVmsL$Ip|>_EDXkahqmD!XGNLz>wa1MjX4(!T|vlPhw# zo_1F~1%#Q`$fpP-Shv!TCd}2?2JDxS}$aFzm@Q{uB6uM*v=T6x%EQ4h7d|I zrogqid*pk9ziMJ{QV~=914PCtkOBVgdWKay^Z3fWkPv=3y@Eq^cgGG?IeemjlCZ7& z3Sm3@16Jv<>6P$aqU#3t?C!apqHZ~bLUM%cs1(La>m8bO&XYoRPDpGkcCosJVbc~M zp<>_w-d+8i5EO3}==}xMWdwE2DiW0CyICE=CT&6c54_2{E1nnC$a)IWN(c`FA)4sG z9#)OOZX>NYmE}h&5IC%N54<2mP-N0hi8g*-Kx^nBE?a~N&0WE-k+Fy`+0F{%>WKJGK9VQN+FAjDs9 zM8$Rzp5!J$D!sGD_O)$ zaQC-+%b@vBi6-3*U|1wJ{~W+nlLnmCz=e)hEr_(>&Oa<#@_;99CRH5r4n(gaJSTw% zExGI$j0b_1^jz`~E@9_GBnNkW2iOp=#mx;|g~4yY+e+}(ex1a-{Rm@15T5jgqic_7 z5bi>hrzP?Mf^rB@Q2Q-MS?vQx)_|KI%?ZSlaJT-FlC*QfQW?Q zwj2k)dkLu|1?VLJa~Z)r3z(Qeb(~;a_wJ)ANfw8mHOmoD!(EKR#PU`GvEduU@)ai; zh=4hexi}(7Lf0W2hr8t!Aq>O94~UAOcUV`-R6B+XO=^l+E`rdtZ>C}DaP zn9z9JPcuxO22>7zLZ@?x8shHwtw3l`-6E!Q7YO0Db%gNj86Z@LB{RBgqB_bE4dF@L zv%eD!8gh1E@&5=Rxd8BJ(0PAg;Jb44#4sS}i94@TU=SBO(oK!HHYO7gnRSF=(>Dpj z@;@?;Wp)pxTM1!Q+!bfL)x~xa&eOn&R$A~U;PlL+-qAkQNYdLBVG?Fh1Zgp5(RPBd zem%+Q%JT+>H+(V}(k+z+gZM50ljDf_O0tu{?2}-&{@H-BNrC?=4Fhpu42=1$qLI!> z7_EN+3?%~=5aH>HfJkFGLdv+yE}&&H9U5Cj;1@qhoBvz>%D{WmB~?}BCyNk>Aqr7y z+-ENWe12VH!=PIo`3JS$N+1sdB&-are`6p$-J?MIbq^xlxUH`WK@$0-d%Of-9w3+t zH;^E0_-L--f~WBrOmQllsFYm*QFGi4vvGjfgFD1g3BWx`aCb|%+dszOdOA(RRm4gY z3&QWXt#bghcM~#h5i4uQBmsENw?wned5X?B?D;qY?1>QF48abh@Y6<@$cbdREX*M6V z!C5-u47uBybGtK3-$MvD0wJn!@>8q|p4j;iD&C8=1_BwmXXc{@_Nl9*1oSk3Vo`eH z(+p^|mop|P2#e&NSOCajy7B_SUj08LfD0Be*q%@m!PdDdgjaIUE(FX>ho2X360*_( z*f@Z5d@+OV2{*wGJxPU-P43bs0Ka=@sn!AG4av2wbe3xM=NLv$sSw7nvr`BQ<*rx) zgyE;Bo~5d^e2d!k)aMQ0F`P}APD>%yl)J742)aJ1ewb=;5Xc_Fp7pXUklE*>5Y5V6 z_JuAQ=p5B*-6m?FC11({QSd|*0%f^pz6dl?2htaQTgbp!pcsZjSYI|MDx(;e=?oNN zak(4BrHOq18T2)TW%IY`6x94x21|7FX!RkDdx-4io>~dW;m6Lm6N2MFfPUS&Itv7W zb54jB=C1rI;M*t74-xFuo2h%RTw`Eo&UI z^LxmISuE-hKFvM#ja)g$UO_Oo116R=%bqlBD)vrTShX>lr9m%hbCbto_~#-To4e_o zU|07P%w`aAL-GiSsKq+xDMLi0Z$p0XnJOlfJ;J}a=QjvxKsH$*C4ywvaTO z{~v}S%A=mSFHP{paEOp{?tFYZDK5@}I`kW`PY~?6-=*Pj&L+TC0^x0*S}fFethF>C zLY+JJTS6LUKY7!KXvLyanC@HefOhtGgfz4QEjrKQ@31OGq189H39UR_i*R`Ev)>ji zc0aj*FDfaAlUhV=fzO_Fy%YKt$d>~74aqY=juxA{)gUj<>}ZimjJ&Re2z>65Ex_Mf zj32j%#eidyz|>0B?AS`GZrwJ{@o-$M;~M01Bfpq58vErAGw`k9^CA}W`Nw&o_cLYq93>u%lw zL~dE_`_yUWo6}A26C7%|xxDOs-jynm6t}9fEC=!~P;;-{R*={n!vVeLK%Y`QQT@kU zsiy`IiU+|H-8uM{7WYfG&@|?Iql-VJN^0QA zq^#8OKLYQwg!h2NyXi&X?ITa!7DxG0WO%hh0Nr)s$+a>3a}j6KU9eZk^ZuVabZXGA zhP~e@oN&=;czM|)JBmZzfs(^S$?ETuJkQ?N!#RSjxcmlJXQC~t);e{&m#1y zd*Bzq+3(TP+LUt7fb+QQ33!(i-ladFJ%Uxg>H%Ioj~4R|1bKBg9R*hZGJF$ZISwo^ zW$yT2U{UjqDDe;0F1R#D1X*|IF`-d}K}ya-R4U>O&t4*8$+M(UmY!f$?aG~|VliK? zBW$g^;@7CDT&@qnQ44WdY6y6GOtvKuVY$BjBtz6ahp!|-($<5(xbF5>fX!RN!`371 zo&w)R!q@y9E#c??mf`El7pt|bN6=lj^EbegX<5JIX(6jSfe$l))n^#KsKH6KrkRja z-Q-Lh!F^$L22O{|=KH-F09~q%%t7tfgPI$X3w9MGK7y6m9~d=JT0&9dHv`CSgW$sM zl1>oQZyY*G(cPuB@V8j+_@01t7qMXe^VDrx&l#j+x?*`I69J+byJyY<`PClYhN98+ z>83g-@C*VvsMc*D049Phf9@dxw%GtNl-=g@T?oK=s{MxDQUEUY5VpPD##r5~9Ef%>(WK_j5H+YBHygFZu`I{+H z!3ep02}2S!UsXtS7ZS4#1Y37Ed=?n|vyIu?MeDD7k!Bm~S^!!v>b*ey2=-N1Fvdo$nZoZmAn3i@{3XHG z*)zZWpK|i1QZR2=?|}Mj1RqYy8<9>q;upX!`o56N4f|=)IrnP} zEcc|X^^e>%Yh9g(*Zf3oe=L3e#8Xps!Hg(pP5);`{@o zuTHFI5VyL4`gd$%z&O=hmq>BC_^mv5$F~47^99fo1b)duDNf&E;Qij+Nl>NLY{TX} z_sq8e`KkwD9xN*He04egM|7{*&xocw3fQokt@tiuxX(X4ffgGZd$;7dE4K(%=hG5W z941w%Vx2PYfMO}3*z^-(^`WO3`OM!u>ttuQ=DAz83a*S7*P@C>!vAw)gSt&9p8$3v zf$ap?dve@E-(!>;fAyN|x!*(MZ4+dF>dlgFlPV5*2l%@Q{*FUL_KEK^_|pHqhTZc0 zJon`GZb{z}g8iz5-T4fIU8wx&Yw#rcogB`3KXpM!?S z2Q-1CVPP<;rh=_b_ z6B4Nn4)4u#*X{)pTn9vK21M=?*8yb;pgRfl{B~;8b^9}dX1840V@VwIT>28m?|p!M zozIGXbCEFbhP(s5`9Bam+YNlva1!C5!KY&?5be!*Nh~l<9Dq9i5#ZlO`bO2b;SPvphhP&*cx+NBfS&iPVAGsm5Sv#1l7Y?;+Jd+xrhG?_ zK-V7uaDEhi1%ccFkl1JFJPMGWeko?0SJma))I!B^K4217Mi-%zlLdGl2*oOB4Zt3EHv~dG6s~0~)y(ouV9aI{rt% zf0f{$2Yd+Hp5HL|Ca!~kAF>6|b`rvT5;!b_f9MuK%X2~+_WY6*ZToK-CKDe*UmOz}6lmIoS0(08^7eA21apgg7JSC}&USxw}t`Aua3EwYvz_0ieQ) zVE6BVN{O6_+yJ^o*bycvLf#hq9y6^op1gGsm_@%Ld0YDjMzQH<;p@9Yoq6uM&Ti3s zj*zti8E9U8j`7+c^942`2FdYr)gSZRLubM7>xT>;a@#F~Z^gd{1`ocA{!Mm5-$IZU z?xKSMKv|pP9zM_NXEc^~^4klPq8nxYd5jQ$>ef7CEwJG%+%c-)@xQPNMh9LYd~(b? zd?C+WZ~=8pA}Y&WgG%r6%;R@~LUA43iFl8C?x1=u|KEbdbX**Im0`{t%!RPaQQ*{H zVQBd)uzS90N6DBk%2%!T2wd${%f-j3bI$!}Tu*}>I}(Zt9OKu}t+V6qtA7KkLgafI zTBU%XlMoyO0?5gnk1+&YhLNHA2tEDmoVdGe4qV~#{yG17(LSqwP5txaTn5;v6_3{g zMaUU~CMS;l%JHFs&()mM6M!OdjU(FyZS^%Sb@3Vs(Equ(8mGodf!^7Xgu{- zC-f~aZUx30lAXW^S>8N9BS!76KuXs7PsZKD&A^x(G`+Nb5EKJkA|U*^*1!?(f%PC^ zJ#vC1YtE+`R-@At&r~bRW5(+j#NBhB0@B_h-#ccklK_31Sa|3aI!kl#GYs@wbyyk= zT8G}DM%f)p?vA;K7RKEL3xVOym5q&c4R;M1#5a_}UIOd9-9iYKo-9Z_ik-W~467}^ zERYYOm3}=BJ`s19JOQ*B8tsKKiQ`2rvh!}a$sG046!M+8z%6%Q_t zyDOIiWMOK$o+^4N0Bm_dh|0F#5~*{)%mA7}HrQ&rR>a-qD*~;yfdE|qAhg<=uNXjM zcrYbz0jjlyT*|Fo2^Ir)m*|p55 z4W@EoQlpKPa&6xBWZYf-Br2p=?D2%?zZ&DjCYejo7ih75*la{K~}*?UFPtoS3T*_A(FF#J*12+G{tByK8Qcn0eF z8NhiP*=dV3bwv$LX#c9y%p2y^RSGO8+4}o6#Cjvcp4+9+xJg2d=z7Tiky&$lh|C{_V zsp61#;LuURa!6v?wwJYz31mm`ZQrV2q z7i!EiVemA`$6k!PTV50-zvB7yF{$E^cL2ZmMIlff0FN%TVL!mD;}SZo9)TA(d{4a; zcXz)8di^(i*Aa;2f2JX1;Q>}_f1o`*>dTqQwjW`|@gqPBzeTr`pzZ-w5O(p$kx=!h zAdER%e;jugqHJIbtDRsqUmyyP|Ag@{G}xc!=aQeq-4h49CBvPBYBNxQ?D=hsY%6#m zp%FTC$IEed(aWG(9=_wA%IEJB&2tvuu#I)`rwm+JxIuy_kJ@ecY23XC^y;Xc&nx*V zg1YW6G!b5Mm_g-13JIE&)XhHww01ztbf9i4K|Kbj<1lgWU{GbyoWQX;Y4terbF4Ie z4#?fRz;Xb%Zb)vpNGru9zht-qArq+*Qs8zTfp8oFs_-4?Q$+sqzf#NX|CIqbh6h_z zTPVucrVQV*?JnZ6@Fs034&(g5Mb6l{TBgj;X0AEbC9k-P5lCk#|f@ z#bMb;@VEVq?!ayTt$`ob47&5nDdE9WSnQkv%<$W9#|iW)fJWbJ|6NAVfdgmfPeb*c z24wr*+p7e1-RxeXi*Eb9ftoqyB?+dmyv+H1+-*Mt(B^zW%YM;-M*tF*mrZ{FNVQP4 zBYlNBGdS8AcQZGQw#H4xZ1LvOh)_+uQ$KI78Lzl)$f z3uv(NFFtRWQf!A7GkSrq=a199Bds{c#&QsM6&Y|{hyU1YMVJ<`Nw6!3B)ycmAvj0xoq92JSpZ~F5V!z?g ztAMJS+ztq8-)5WpD&~rR742=`T*FbMu-j~F3E>tX6rJItCLot%BMiI8);2reT`)Tz zEz_-gY&(GVhU7V*Ma%4%YtR-)#WZEceQz`GWBKm#j{&o}w&uUV)=pJBHn*2hQSI}9 zL-EoME*Euot$AL)d-&t|f}`2qUF#&YYd%gK-SkOQwdhEyY=}M7j9N9LR{Ww`@YdS= z142rU0R@KG=1+Hx!gpV7`=|2Vee;1L%X?_uxUaSfgke0M*Ng6}wSNYbDfMCZijbRX z>pqk3F2q-~MYv7Y@)M*yPCmhEX-5!LyYT~qchsK9cXus9UHzBR>^o`)3E8~nUScC| z+Y*M%4%ujsh1^a%^x1rO>1PGTE^eotB8+VkRwH*hO(cr(4w(1M{?)jytF~5-R!95JP7`iTe znN`3Z2pM30|7`h}^WCE>1pUff9&-Qe7~y$U(!Y2W!;?V_!fu}J{Yt*O;w!)wym@w! zFzo(RFL4O^$ZCecjvK3M0`oxd&e`d&=DX{@3Iy40I4?OUWa|RZK7!fH*BROn^&5HH ztbI+syJ`)PvKwZB+h*$tQQLxE;&|)%Z!knQ2i5UpbqPu@M&-=0K4Wg0W(B6oLdzT46YJn9-5zfZQBFfIH{FX2Ax(6>)(8nwj)cedKKSz<2W9S2qJ&3nzhR*;eTddg|4_M#`KGqi6v=*C1d zIMcncw(ns8{T|Q;?umum8=H4X)U*Srv4}qSOt(?n3+s*@`R?i+T{QGcpmma)7E?oS zdbZnW&0ojpH*{Qdw)^$juKU9l~M?p2_}6n(|>23=)#3=Ug2vXYBm$agz-i%JU5qxH3=)xJomCkWjcphG2h?CmzX zz(T#_hxzV?9|D_wGi>(DqV+Z`A=R^KA26vYYP5D^8jt#^xDz&aA7&>ndUMsK1oRky zVz#hv}e;#8GL*G!5PIzu#;{1?$$N{w{KP~YNP25z+(j4^fLzDo*ydk zx=V<$zq1`IK?Ll;*uR$GZu~rr{hNOdxN7W=CObIhA3L1yZaLhoF@Fc4?EqTzzs_H< z>e!YVRUOW$wZDKobqG#bcf8sN^zx;|sn(+mbaagXI&iyd$1n5Ui${RKy2}-MyXy=g zJpiPSAUf_b#zuSn5q|D(`LTTW%&%zaZ{6X7F~xd^k+=D$LMAqTfta}c*BNUXeWUBx z@q8RdMNQc)uE341m4xUt5Mj!@_Z5c7v1VuuO;EO81ZT0KxbT&H_t*)5=Xbfb5Wr2# zXt}ogHw>T*TCX8U8~VAE`R>k>fDvv(-%rpw01d))=(h|S9e^DeqL0p=g2mPbj1-uvF1zEygSb`G7G83yte26gh}L| zL~X6RS?3ANF@QmBcV1v%B&A#j$T`H3KVx?GX8_B5D{IluMC&eFA%rB^ax6EQ>lTW? z*XQK)AK>&Wx$nMvKX_L|StTal&hp>H28o|pGaoJ~DVd1>;^zY;B{NEfSCotsukg2| zWEj22Bc4l2#)>DrQh)JqHy%fnJT#-EBsHoG5QaU7mkkf0+`Xd&Sn)h! zYp~#CJvdo18Ul)@6VKCzi>j4O$FIl6kgS3$qO?VzU9^Zd>I8cq6(TJjVi|6UX z@#*LiFrj23gaXeRQn&kf^HbjWbD|JWJTsMOeTz&A=f-!lVD99{t-E15hTFNcfg5ktq~ z`=;Tj#n_3DqWsVc^ej@jT+O(fIzu!@!EsGfGi(hIlR>hN^sE#$-XyXuumGp6{Lk zrVM{@GzvXD426bQ;JKu16q4@|s$l#KsD|Mqg=%;}JP$9y^N1Out4|+>mt!a5<*tgE44;awG-2Wd ze4iFwVR8xhGob>aJAAMZC5krNjH3?B0QvswUgT?cE zgy@VR(PGXp9e*q<3Pr9eN ztm^h#OFwwuw1+=96U@TT-CcZNGQ1JrgHZ5We-GmD^KTz`e9$2DZu|%tkw29pZ$!F& z!k|I2lz5GL;fLrO^U&jyCyi|?A5%SJ@D4*G>u@4@8bIj z^gXe{y| zY1|`cHD%=A*x@3d+SjAMVe;rvGbY_Oth%iBp6OGoZhyRd(zvFFKX@zjCVs|NWrjDN z@R1Nlz?(j~W^&!bLmrwob@ZK&K0N8Zx~W4*+)Ez+zI0Zh%_Jzg{|plo0q^I2kv~g3 z47;^#$V0Qn*UWtE;Yq`$m5qLAR@sm{o5t7NS_!_^l6*tHCJh(EWq`!|bK1n0l!r{>!~B_~a` zWa;C=Y4zWBXJ_>nEOKXz38VF+;j8sirbd_Rsdy0vlE^3cq(UnAHyirTG(T9rwfRr@ zmT%c&550otC-S_ECv%EpB1qgH{b{tmF{Z|ck1`OjoDu1GD6uz$e(>db+BYr>(AaUohUB@IAdq@q8Jthnq>Wez0w4 zO8)ZwlPml)=0AbnrO2mQe;s=_d#mRlXfo)-zAXX%Oo0^o(^V+@mrt;oPp^GPICGv8 z=$%hj!^Qaiy!3eA+&ol=h|%nKGk#|(_(^o}`tmxe_}??&@2rWNA7{(=#R$cy)Gvjf zD+ltZ%P-_h<_H7zQ{>Z}k1F-@WPP2CHyfWue`wVRXAby#{2bReyKBbpSbu~+jQ5;7 zGk&*CxN-fAVyiFcd;NG{{}TE7Z)Kx>TKfv%ZwC2qCKdk`F%@IOE#_(k`Nnbz|Iq48 zjQ-({@I75s-hADCk19>rC1S0${XMPTykgGICzTtCJ;w$3R|2Q2Jpun}8OS1WbxVE| z{&N(rN0$FaxXB)Md3;RE_3z2D4!I0JADK^ydv&*;Tz^CX@(cc?``ZPQoHJuQtLby> z4TBNTbUQEtgFhYy;JYT|x zSe?$?D9@3=8D*SeU;f9e#rndY@`>BmwGT@z{NQ-oJ(9|VyskBQb%kDeQ@$j0%+>Gf zXf@nSw{Dl?8|Jh1h50U}oSgOYaaDhNsNQ_cydCF4o6l#ikA2ENwLU(Q)*Su5KR#S8 ziCbz1js4FQ|GK@j9l}law?@3VgilkkQ~S+~uOs7`^2O!k!QM=&%Oz}D;%roog#RLa zS{(?f@^+EpN7tt<`lfi)hlRXc`x+t_TyBuZFUGA))VcBLI2ri0`Rd)$o=p59w%RRc z-f$7>07djK_|r`NdJgcV^lQS;_zml?j^C*ff4)7s8^TTX2gFgq3~MdpLew`z6hA2M zqWsLIync+nF(3XsKeHF#hz|!H)*EFh3D;jeA9^8N%g?3-&wt4C#AiqO*`?Tz__O@{ z%)KT(y$)0pr^nXm`AhJNsN^d%KkMz&_N320$Em}f#5AJ(%(|mI^Yv-B2~Xx{{SKDK zIK8p_c1pM*KV!}O7!QxDm*2AoJFr@N(wD#9bcB8h4G#WjHM`$oP916!R|W6)n|pczQ9$!uj+mN9`!=R0yiJ1pR4+>yC?p9 z{#!D>80}&FjQq#meq$=-%zxld&3_p$jgR@q@R_wLel`XCoeP|!9@n!(zC<*=TQh(5 z8$8Da_k54*O~hZAuUI3nm$X+qnqPL8aH;3ChN#Upx8Ot7=Nq@gFAOE)1s~;@RJAvM^1jTs=zaftjJoey=ocz8{db9QZa-RffbmK*)~~vPFH`@Y zd_Ea3N@+me-($T}F){W7w|Vu2-W>d<=9i+sGOS>~0CDs z(R8&eJ;~$tXlwM>PM2_H|Cg_`avl2$H?I`8)gIW;M`Aq+-lbM3xH+D4!S^q_U~9K$l7MAJ z`fGwOlin%eDSDMY5&!I?{Yt0A@$=VT_nmO=30p0Hj#~ecq*RIDU_TA&PuWkbZh}|a zTg-1^C0QTq&mo_b{a$gr(W)7M=0Io%Eh_%FTuxg<`UJJF)(9|(4C`0hC0vFMeIk*E zAMB}H_V;LwTE=>e{AY(e9QF))4f3%)ABM-Bi6S7GHjH{LuVi>ZCFzPkTS9$XnAQ4?Dic8s#;< zrmf5GacelAIp^i+YWIw_XOEh|+G-8V_^zVy^6(w)>6h@6FTa|=#XsiA&jzjHZx=iG z+x+=qjdt`enfkmbkE+*S;as!>&nT~^OE`LT;19FqwZZ=En($%T-eU3a8{vCC8ME(5 zpR4gwVvW_^*KEZ-anyjxF7~s8AO0BmYc2kAyM#;rnX+HS@0dAlYq%e4^Se?&uiJ%? zrOl<7-bkKvELsMC*a!%hZHpXv&KZM;_?iPgFGk}D|NK(*t{c*q@*lE3ChcdA{jwnH zRdDWhX8+n2IAyQP6Z_eZ_p=YshJBqwT-grvECeKgQ-#^AH)N8_c3tdI< zUy9$*L3NY$x0^2NsXv3ul)Ux&r{}f-r_j`g(M)`N)N5zh>pawFyg8rG= zWBe$5T3-n4_nrLY&sTRE!ejE@eUHm^#*jg{ztR(a^7BP|KzXF*D{GwSx!F&u=vhI( z38mn5QNJ{-j{||H)+6#4*=Hj|{(AkP?UEk!=*9hq&{IJj3-wOO$J)b`i}d|PdiE}Y zpv3&r>vO*F&*2Uq$*1)B0DpD4oM8XABK*G+8@@x@x9?917Mw7zwE8gs%W z9@6E_m=$%*jfzuI+duZ}H8bo-$JdteWGMl@U|K;x*0nAAPugcwk^>2CB|q2*KXV`S zNPZO7C$6guaUffzfmu7WP)k?F73#FzBfs=l*C+^FsMxG$tvG?~ngd>8oZM-o(ehy|FxK)kpQ z^C0}Y*=2oH9u<3(pQNAFY6S3aLZtjsMpE|RseMuY`X>MVQr7!oMV=2E_k*xj)e`&5 zx1Xzk_Nnr_$`1Qqe(1|Ta>sY>vc?zt_PAF+Tq8$44{1RE51-Gs59>OBsf+3B?;mTr z@W+Jbzi(TFv*+9Ln)8`gM{nSvFIelFyzZvz>#=xrM)+3tTVF?2Q;RK61!|-*X1nMtL{qgs(u9m5_I`uQa=_ z*$eo7rvG~&y-EKkP9v$0R39?xt;^Npy}k#CehcA0U*8vm@3Zus!k^jaZ2L%c4Dmvb zaMh2Oux~Sd=(}BlKg#s)?))ahzn`LysLxmWk`MbPm&9k7U)_Lk=^rW3cLM*NRV|QD zgBu#ZDSw$i2Y+|T_YLyD7yR5-DYTzZziNJ>Pg(i^@oLM(hKNBvR|CTTK4CsY@`?Ja zkN)JMWL!VoE#cD7m{>myeeKHssWTUilF?sTHNvI8^K|@*_U`;HB_BPXZ3QUW{jPlC z^8@kc9qCKPv*ScO8~9iXg252uN&Fhcv!x4`$yKPdMOewxRF?J0ucqYd@+JEbID3Sl z-V5Y4En_Gt?X;w)v&(;*)_=m2@vQH&9xJ4T>rpD7^8(UyS5Czz4XvK!w1pn>qdpQZ zp+@*ITP-(Zo}&PVZ!%uKKl~GF#9-4E-*M)(1a)PAw^Li{300jqq5XK?>)JiYH=4ka1phZ_*i zGrL9clD0l1`x5LsG$|YW3+6xIJQMs!{2XGxcOOP;u!l0?C#~07AMG0UaHxy_EWnSg zL*S=UitJ6tAFmN&{*R3M@aBY{q7S_jDGw9d)ulqtjd~BgT>GWszVK;qqJ@uAwb-t@0e%17`iv0OQ0se*Hm-_#2;E(#U zKLkJRMXQIZMOZB@gkT#1`o6}IYeow_oB}^I+Phi}KRrG63Sd%2BZTHbQA36iV zIY^Oz((P&f_;7R1cdW*In!>NgfBk^?rMIJCy+xd&^>qWa>%(aq{L!_*Psnc%`R>@m zvyA|Yp21(YUBaKpS|PpCH_kq9r(1#l&CJ(Y9IsAv>Z2B+Q}Q*|$x06u?5R|iU*Z0h zFZ4@&CyZ~cQk ztDXqo6L*n6|M(s)(Yy3;vyq+w+&@72v*k&9OUYB5K!LvEec+&~TtL4=`Kj|F1^#J< zID7aN_ISc{s#q!w`9PQOQ`U#^eR+$$r}Ods;rx9wn87{^^zYme|CyhvC&u)@A%B|w zd1psa`~Z5;ONw>y{$?>JxW`e%epE|Bw77bG4zY8ex!JPKkOR^ zi&trR#PstJ!jt|onSa_Zw3mGToI8P2bqRkSo4+*8%lQlB$0SnSSHd4+@(l==e&>XL z4g1RRX4gy)&Z0w0ymKc>Pj0JKW>)%J<{;9n>JDZ)$(DlE;x`zO}ftemO_MERS3p6IHFdgLy)|E0-qSetsw!+!QT`G4h|G|2xKNBu?o zYv&uiIpLD;W$>SI7XTTwOXqpDu#pkKJe#*J{+(s6@xP5E% z9sP?QSAxiO4@AZNL+rkoyB_PWbd8}t*;^{Tj~(`xD}PG(-MP{Kfq%kd{y3r!Jwab% z@ACTzn5=d{eP-I*GwDg$8|QWwefHse&HUYHAAK1wKHnmH+m3KH7xD5l`3YoMC`OvO{N{grEuNAVp#dHkS8g0r*e zrR05EIQJ*}E~pPI_`Zri!u285A6g~7rNKv9o|^ya&p|JJ;^D(P3A6OG+OYk`KehtGA2?u!f6(wPtd|~^ zruck8|57L~>r>#ddQUW8aEIE&yZd_LIV$XXjn+e{u~}W$OkaOM_+t)z=qcDOW9I<+ z!cTrY;#NyqQeh_E=9ACRzGkxG6{w%(KmZA@F)QtCFpm*gC{%wh# zXgRa-I%y4M|FGXt{2vZ_>=2}IEj3DWRHiQ#xZ&~QM-Ddg!el-BjV4OzuP5T zuIBnr#v=p0`QOk_zCGFjgb?3<4}I7BFmvC`<8U8X$Ux*hj5mWOHN$e}!;(p5e%fH8vJ#~Qkzj?gQfbh!i z=qouM{w?RjCu`gvfpajZ2aG7MeEnJ7zu=#wwfGO^iJS*~Vk~F=3HnE*KZ^GQwcg7F z=lXBIaJ+pF^)XO~&oLgb-A8#yUX?{%>u-MRRZ+xpi9dgST@45qR-^uAXT|tD)Yxbv?tiyInSHGmoIUz7)iCQ zzrJ($b6wDr;*X2=pN_wLYS|xC?3wXQNw^OJd>_ew4lXO?hDJ&rmg{D+=D`-3gu;=gj|=c-;s zEU!G5AMp8ne`LEmz#kx<{P}k1_gMB*{gW|$+={-~N|&#X@Lpluk#i@{bL3>aWm^~U zhoUI~i)U1a67uDlbI&g6Zq4xPtU`>9mm|o8I+9kt2rk;wjX*DepuXNe_+(#THqIuOujv!hvswY zHNQZw+V8j$dNS>KMSPLDDSO7B8ZhEd)<65MSsu;+t#|SL?X*0&-@`o?IrsB{bHm6{ zuPwj-V3fzBzzgJo{Vwh)$hjBh7%ibEQyydDOUi?P!^0$R9e;Q>$hGQef2q~y+!Emh z>m~a)S>xn6rszI0Yfv%TpF1Z!)=yxRw|183w$FO2h$b_BdM3Oee!`p$<()h$uqeR4 z6Z~fXl!^av&a6^^-|a)_@qWFOKTYG0&O5gGzCk`i!4Gpe(O!;qSY&34A7+0$s>6TA z&o`v%J-WTbdoNy`4c}Mm*>U}}y2`G}kw^CVfP(c$^S9dBfZIOnt@->t6CUrU zH_o5<9qRadP6haPf}f$jVSUs5OR`s^Qh?v>qZAiEZ)T=HJg;F*e;}TW+fU3suL+O$ z=Nso|=055p=`+ZGE%cx6AL+~VUXP977Xzn|)kp1DzmR^>y!=+>AMyTOBR|?%gQ)l4 z?gOcTpB~}yes-fiG=8G>u<4@6VaRvd1HxnHS{ox&IV-i2@S(aYr0Ksh_;~JEIn}IZLfCG5dWHIH}IaH%FB+{&o%b%izYm z0YYtqyf5d33#mu`Q6H;JDxd5re0vgzGcwbIGy0%cohLu!ldI)odhA)k{l5k8U&#A9 zKkEI%xh=OwxH#RgpU~?5Eg84izJzAoKI)t2bBJE`LxlBH{s}zd=6{VX(^PqW$mfFq zOKsx52&;t6J9stn-sj&d;U9wI-vh%(tEay5{ffMwzg}Fq#4o9Kbf=PYca~b;bp1kJ zfJf^s?hrRWzad<$FH!tcBYk^`AHw+1z2kX7o&&&9P}ULq{E2_)@5mp2Qu68aF;#X0 z$}^w8hR9n)ExlH*{5$`7FCab{FREAAFK2KqLX@UoX`)iKPMKdTp$8=fxdozzzgnk& zP^egG+~4c*0`6=Be&I}gWyT9T!7r#ndFlE155kl2LQnX~=hs0EFcmLYclf1geQFb) zj2FZnJ#{vaY}{f_nEdrK;i>*kiqhUr;2%a+)GAs?w@v!x-!wY>{W#>;I42R^@25m5 z-@^aVe~cc6sH<=f@k8}Uv9B5*-tm!)|KzWY3KUdHVO!)cS4|Ng{}vAK?+krA9#Z;; z)h6^W_QTn&K8{Q}Ok@}*>}{j!Q(}4YfQXmBKg2JL9glT`|NF;(|If$cufM;ZKL7P= f^Uv?6Uz@l0^*?L%f0zDU`iK9&|Mic)byNO-i%wSV literal 0 HcmV?d00001 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/findings_compliance_findings.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/findings_compliance_findings.parquet new file mode 100644 index 0000000000000000000000000000000000000000..0658a8c7151370d710123c05e3f400629267931b GIT binary patch literal 22402 zcmb_E3v66fcJmx3F(lb!f%kaBhV3k6U$f-nnXye~Qb_mN<4>H#aZKXRXuH|@ys^ig zkC_?UvD-yan$k3NDWzLVDWx<`DW#OAG>y^-A%r4?5M3dj?f;$Ie``&^g|ChGsN#uXY&AJuf1-A9y1v~7UR8fiVn#B8fAfO5V~zKzqc z8UROjM0SK-M69M}m3=rE-qKbyYN>3hmRdV+RI2$hNDL%jQ)=1{WV~)BAk<`yBism} zGNn)^HCHvVp>(-~f`cJ;-EXWLpw>4y$cb6x%vQ?TxlFCKlrqJ0R#MJNS~pTv55oiK z&5OoO%SuIblR6o231Mx{0IRGRDdBx2;Y$HLj@ z_HeW_n#x2X;c&RirMP=nGD}_2D2Iyuxmz`t&yw}M+@iePq7_inD}ujLD!?Z0lkek_ z`8HZ_xl~K#OVv=ZT&;!XQw5h8zU>;Kx|=mzEq zA4va1g1>#>bkOPITF(^9bJ<%gE{sYWe1WxWpi60m=PBR{*(~Hsb4T0h{RphpN)>%} zp`6MdNv8^_QpTuYL&>Nulq)kwVC5ZM+yo6(BQsaY*A|bU3@T+54*30T==Ydo-&8+B zT}?#6+!pw^>T7)8)Us;T$v3~`F5c3A8z9Q%3r4lIkgwLjbt;>b6RY4)JJo`s@rMr5 zsB=TPd@VFtF&0Bcs!}q*j9`ev4b=@$H`X-(q1HBJdBwIudD7CG-38Un_W%eabj#h` z-0lVhxk_rXg7U70Dh7DBd}$IMs=0Wq_4Tr0ZyM6dskNkk#=kr;kLW}K0i*lkx z`!Ncvm;8mN=V*aezC?D=`tr?|M zsdmKAnKlEvQsf|zJLEgKw$}hP`;BaVuIN(j8rH6wpANFswyFVf2lyDW#U*7)3!{=; zbKJJoQ!dUHz?w2fs4rj2f_3c*^%Tlg58Lt`ss??#oMhfoTbwm4KVUZ}UkD9>13$Lt zaTQ{NmrHhSyhjyJIIczJ(c`*Qrk0;aA8qcPRuJi)8WTY5;GCqCzs2UcN#Q+e8-H?= z(nd1kW@pjCM_cn^0)o{>!K^B)+@NqPGxh2YD%*IEDxMfE{1~wz1H0g4xw2^K>`_U1 zRMI-py2K>=bf*~p56=+ra*KiYsBQcS$5|S=B~wUMt77?Ca^SxB&5I^i>{xiJC7Y9m^<$=kS2Anpjb&D}-WZSFCuM;oJ-YwT7g zHW4DdAt`T2+5oD{W3D$mrwY@E0A4Qo+IWvDo^YHcxsAAQER{>fk#a6qHEQIWEJeDf z#{?idNFb-~B;f6zR#UUeJ{TojDjUS|7J{*kX3lAVZHK&rtLk=ugL`~A1e<-0;)_tt za39TY_ZXylH9F|p!ooZZ;H*I6ElGJx(gsmuUI2Wc0@?S=_j9uE1T-^7sTQhErDiZN zg3Ljvn5xWRumVHvA>Exm1698cFBaBRj7fgz{ZLXql(Z3Kzz;+N*g##U+{qbH09mR6 zu^om#aCDo2&=hnz=W)VNyvM0N?Ot58qOp>dzAq{7OWH8<;4|MJE^rW&W1IsO5MfHd zfb)GJGgnB}%9T)N3c@#!P*wFCsrvRf`M5PBw)3^(v;m2Tk0kih4k16jkQ(6to@~w( z&qTxEon5xnimfWW`_g4k4V9Dl|hJL zY*iF(E|tj_VBZeSmkV=695bIPl~Pkc+IQveZX>!Wd8YWlQ2ihPaCGmhTJXKKMOr1Y zYXdeZ-vWuQQZ`k|TBom8C3C^cWsLu%K+uUUfy5<6U+{P1QWsy7Y6DZy4t zf+rhE5TselXH0oospe~|lxwTB7swCZG-cleZ=l7x!}cNF%-T9_Y7J{w&ChQ@Dq^)f zAt_Ht=JC893(!}Wki!i%R0G30l+Vmy2wi9V8|wzB^$kwaZA)URfkJNq3!N(EAD%NT zWwN-G-5WGV3Y^ph?S~@a_)Zu7tEpLKA2&&>5b?64EKBCaixWPO^?>{UU&MC-LfDT= z5ZB}St=1s?tA^%{LODaJ6c}xfl<)E%t2XEZB-S#DIi%i}g7n%VEFDYC*Cgedq>ZBk zY5=n_KA`&>xyJJ&7BdvI<2Ak7bMI!kNJreho5kaiSo7Vi=`5CRYX*BIst{IGe|^#n z_)19t?bu>zBne-zGMv`t8Tr`4J0In&rSy?2i^Y)G<1*jSs?KyW^@ z4wXM33ZEcpZMBj)GFO3{4+xX&M&pJ7Sa!?1`3n6Gz>LEE+V(IQ$<9OJox3{YyE;2} zL?ZFdXh+gT)OQ*TRvUFTAbwM^oXzL*Mwas6N3txB@r9&(A!$imr;Xq?LAr8oJFkaZ z80?Q2Iva3%TP|Oz){aySqjcT;Hb)Em!m*5NcOB4CSqLq_ol}0^a33ev**aDG7bpGe zDn=1<=5#1*%^KAVnb}j4@|2|QLIv5U*1-XSY>ScSdR=zqnenwPMs*!ez`IX19H^Bn zUP%HOS;Uu{6xMEE%GhEZvG7RhdDe4J^!5S4Z?^>Ns!Qs>%Yh)A%V{95>42gWQ7j@l zMY%=Ls<*JsWn~dTv!cS*QD2!5bd@I92Kz$s?O4%uc#t{t<~RO=TlXb&(Bl@`PI(6J zo`b6EiqdN0`Ee$NJgMBMC>%oK66VK%VljaHCf zgW0u$=9ekZ%^&UE{N4h(`J=rXPptTY zZvJTN_Q>4_y^{B~DI%8+5Yr4cI1|AvOOwOWGn46}!z<|=^vpWjp!p?wgT9$w+hm^% zYtS#nYMbht%nbTxGi}o;?HFVUOIx#VP7p})PUqPsi}V@DooCnV-KHu~(frZY?Vp1J zBlb-y*#O|WYnp*!>#pfA8(2z)fTUOkMi|RYpX!4*f2_ArX&%?XJMeS8ptSy63~sdU z6l;USj-#+R%tNby(%?uIY;-2G!REW9=YC0Ev)Mtz^qS3v*>DO=^ENsj!2?Mm+7~Q0 zif)7cQ6@#_&4ED3*Z>Ih+PJWXaY08MXB#9uH?ZpE#QB`1iZ$5r;r@Ul7zH^rVaqe#U zc|Lggd-9X~`Gb2cAa87u2hEw6?z4tm+%Cv_w_QAb91)L~JH+E>UE=XfOwe&pBj)MnZ;NzC{F=F|r^0R#6$Hye=%L^wY0sYlSB{BCs$O4l&$SuLIdI#3SrDJ*FNHsHM6jSnj z0eSuR1ETo)`+*rC`fEG^`szz}loYxX?=EOoW2RBR}>AnX=3U< z{p^j7f;oGKv&zigW2?ZjH;Ymyd!toY#9L9q_NpF8UqFi}u3<89*02bWv>qv0e0W0|7@)wWju2 zP8$T|*5ze$&7$ z9(-q-w(nXlP6DiSH(xAGCWyQ(7q@GCE2iOmSSCy4c{-+eo*=W&aOIusogQf#ODy(; z2wS4yZ7?yyA<*KmWh|IFZR%B8f}4Y1MYNZs&Ai}PxHZbIu-}yQX>Cn^Q=*)CS(5Ki zE}R0#8PHx@WdXET0H>VqMZ6ON!}IE9$&p#l$= z3e5TD>itan3xo*=)@AYa?G0?2i__p=+dOW*p2f4rc)3RJ1eHK6KcDWILZ zLy+axlYKiRb+I2Dymq_x#ceD8$$|0<62o(UA<5~0c1;!dECGuR)>Xm(#huz!xlswf z@(Dpd{4fuP2t{QHe9 z+7nwm3c!`i07Owf`k5r(59-`%!LULooBS@_r(OL4$j>)@)*!P66n{<>Kl9g2e#<*7 zuWb*_2p`skUfixdwjG=|Ket&=F^@KYzx7Ffz<#$~JJSxZdFIY~ zig~mF?9&AM0|xtI)Do04Xe0!zYUJaHb}r&m7Oh+$a8LgYk$Se%BGrmC1+AAmv{yQS zR-Pxco?;$tKyoj)G(5OM?FkfS(I!=YQ9tzdo22EL_>8UDyRI@XV(56!T~U79M{E zP37X>5({rXXtCf^8+_tH?UxV0p609$R-Pv?UjP``DqJp4b|H!?*T4V`Ptt|@=`!s?yJXDUlV)0S9>LK168rg zCxqv*XC!$(pgpt4!ecwV@KXz^`6H@XJvE@6@4vySRpt19A#W%CUXmXPXz%Rx#A%O0 zu^#o*UhVQARDWT1ke9M5PXi!DIsU99?+9og4+%gkECqdizjk3C2+ccrtor7g!EVnI z3ugf{sOS7au{4@gcU~FRE)2u^;2CJ^Ddy1zc-|roU;GDJAD15zc>F3hmmktT903H7 z4WO6xG#Ti7X#xAj%l1zGMEmf^o5ycD!+-M$evsWolHG}af(%_tK>Ip(1N;dU zvjV(la@wZ`1W5HIc*=Vu$_0gyDsMCkr|Ar#1{$ z`cJ@z+YasdlL&vs+x#a4|09C0JUgJYXl?Lu2i~fw>-CY517o|`ZHfA;P&>YsCim;Q zeh~iQYp<>^=slDAAU46Lu6I*Ae1-42z6ZZS6aR!ShoL2r=~>YAvR>8o{)78;y=Ml- z>RBBC^d7{q`|*23&me{Ym{jhD@%!-m@IpV#*Slfpv_7HhLz8{<9mY=~SwrxkcZczP z7~hE0o;~s5_V!-xj~Y?t^y)r{K+PBSFJOQ7Omci^nze#V_3p*wSfr5bFHB|o3-js8?mb8!10v?b z1Z)AB>fISoBZv;Z@0kR3^$@=X0%WX^{zegBXCeahqY^<2{B>B+rw>s7L)eon78XH< zxlDAlkS@f-DWGXQIs&@s2_roue?-h)eHOf)8SE$2{gHX#qnH{Sof+>KnN5$4=8^+U z()Tx!Pn6_C{4HgQL%HnuU{&u&v!T5Z8`|xnuNB=z; z>}OOVC?+(tS$$xnE7L!kON|}W(=^{-pX1oSfTHY<;P{y)<0ol6=|60YcNY+|zHb`& z^ViQ_>L&uz#lBjS5l#A?80(r!4-`O8Or0^pPy7r0CiX0#m`GGTi0{B5#FyC$`XV4g zpS?p#k^@Z*Wl7W^>;imn5k0KTD504Iav$7#I3{0?EiO@5P2 z#%E|e$!~4~Y!eabI;y@qoE#e}r;CN7*)bGlPbcE<$8N!&zCTajNtDET1>tQy)P?fE zE@58>Bg6!;!WwCO7{|9Sbu`r10qUn&*)i}#J&DeSsd!zLbo){YfJr6DE zeM^nu^-@3hVDQi2$1+j$CpK`*e}JDHnVN{!mh{2t#_;w~zs1kKCiwSKKe-CqNkqS1IQ(|>dp{LVD`p^@PV z$Qvm!mp(isn1dpFVVfq=N9*Sxj*m9M-$(tV3ZodGW8iuYZv}ttl$UOoS1IMc2 zNz>-%5nqG-xPtu)WDg6OVmylWlp*!$glZysbUq7y9k>cN#-EtMeo}RR-!#~Ll*JF= zpUEHTGpKJ*``UA8r-yyfRt9it$?@6wba6D7jwXw+FNb0M!}tdKMKAU5MWq1!Q<;vT z9N#zc!$72GJd`LSeWWRzXzquk#Qq_ONk&WQj=`?+j?vj9^(S;+etHry4}NI9aC*ou z0-QL}Ls-RnvDO-(>-lPwm)Ko7{IXFuZex6kev_V*wb6F=7p?Ei?r(f*J9 zw0=PU(d78xY<7Uc9a#TBA9(`%`ddIYY5k@#j89;E$ed6aS?j0$o8niJ$1v(EmT3on z<4?c7AN%RNFn~U{Z!X&xr-}{vnF9H1vWNXN|DfJ|5Ld+k zU5}Z&$0S=N&<-zdzuk8GjU#*#Hx4m_qyeBmnw(Adk21|AreP`7$G73b7=IBF2M~S_ z=?jp938X|wqj($Wn*~cEF zZ)+IG``bs)4E7VK0rU}xiN@m-d$6Cy+sQ(vG&GxzcIx!KKUsja9?29B>j_vhjreOP z{xTqwZd?~jsj>K+o`5r7BYW(jesaZP4VvpE1AAR^V01bQ=T`vIfZy&3?60SvUQsW*Z8iQuA8#s3_FrkwrQ9qH#^gn=SC~^;aw23?xvA=%5 z2O|Q#5$MDMGg-h(-xC{iIQ z$r9EeOIqAP9_Z z=bZcQefRzJ=&lbIdEdR~p8x%wd*~r^IH@+Po77Fa)h0D^eYKMh?Iv}N zx~63;%3E|%LdYhyIo26jvni(EovSRA>uN-6(w^0xHMSa&78}$qrA2qUE`r25)DF&s z28bsLQ`vHSzEG_$$Fuc%wK%a*FVsA2Y5s6}Ks{r5gT?aNxk9a$ohlI1Hx=!sVhjP> zV*#CmkplYo39ruWe?BmrAA$TadNk&R?pTKKxEM94;1)kY)9tg z4zAu#Q~vMCw*OvwXidaJKgwHlQDT(2DVyuXIi?iblHNXP(Obp?JZx4sb5*PX#5*gs z>4mI^i#4oXx4s>+Ki0fZD^#1yS&NMoZN*5S@SaXik(&X_Q_#~xtQl){`t&1IU!G_3 zmbEf@?wF$k5E)X3xJ)<@I@&vPliNDdk9Vfi$;Xq)!sO%Kg?#eyM5-f|%_WnGM55Ef z#3POL(i?*E5#p|eVxD~ELX&o($ta<^8p72mMbLt4jOGiuY9U)I;nHB;5f!hEf{RIJq_wu{_Sv|D`m-YGqh zY+9Y(4PQ6~ZU*ADXBM*gc(GhBREw2re6m_8*LA3eIj&kPR8ijAe6gC%EypWM9%k;QYMp&CHY`thEIL=HXY<*5cI{%JTBAuAX3@G;tj7s%092E( z_LPc?;Mql3(x6>l3OC5Dy5r5kMcU?KzFNsI82c%ttZVA|` z#b+0)b@0Nu`AV(myU1w%aC$&}7~}KV`m|@6yi*b&%wy_fT+f?;W^JLmSXhREHnRZh ze6Hlt^(Hrj?x}IGKIqZ;+Q|Yeqt$|~`yVRW4;7;qb?-suhaTAWnf}x5-34j-pGa@( zZeaQk>%}JHFsKGa4qOt#@Hff@Xr@(dl-OfaTZiGW;&YH+#k1FCZiHJF@BmE3F`*C3BH_qhOccSQi_8<2C*@?tTMdt6x2 zE-LWP$RPJ_96m^aQ|YMp9KRmdOmIWO>@HjcEwX4jEd zNId;#AWytSkMdFgPaEed`Ql{JpDW(i#*!BJ>^kD=5%m#n(|dswEVJ=kcCHo&vu3^P z)VtrBKNNIC2}9c`ai@dhX>hPO1^X7Lmp5?DSgX^ggJC^dE5LrSSYM{W zWgiA*c)+z=-OXL&VL)K!DD)BUna-A{3ftp*`ptNMHdlv(LvOK`ohZTC(#65U;eGT5 zV4U2qqiwfX4bL`dXPb;^^rQw*HAc>`V+bng+vXdD zuDo{VJ?y?|fyJ&PyStVM=a}|zb+5BscfB(Xxi#-$suF`)UKYaeIJNX8L=2CIpD1t9 zMG4_-E!~I9`bwo-I8>ROtQFj`U2pfaKqR9CcDAZp`2c~9Wu$=#@_sLj?o-DY=1SWr zW)-2gw-oIy#TdjP;M3h7rBi=wUh&f(Z_%T?QcX zqXQn{z{l0J4)E8eD}~lvr2^QXQQktW6HU5ZT!o|Pbfs1oqw=_-9aoGl)Rx`bfe6U? zY;AMfy1V49ZML(cfvs&=FSff3gIYznz=L@h&PFMNHl#xmS_U7FQKGy>7bS!X7*PRH zS}%^Yz$WAMw@|*lJu6!%*VWm8g~ECw;AMx3{AvsqfMy77VRUN}Egwz}gmOi5^VMQ`wiYkIak(C!%g#cu z&NJzJ(FaKPs{|=vD)Jqk(b{6pc2_x!+chb(^Pzm73qW^QIC1d5bPe2q%^eSePjj!Mlz1c1#NtGP2kgnqsgaL#*&fMKuzGWDjZ%NVA7#%7f8Tmf4T{K}0H2txVaAxd36 zS9CG&9i0SDRtdY`vaAvYCZYAaPm1|oC`p|dFCmvRoR<(Vj#i233XC8HhH*@5VnZkR z;v%-n%>~B@L(_eC;H{B>MHnAkg-7}2W*%dQW?qz#lKR3z!XA# zE@0sotTzoraHMeLT>M-WQ##*!wo77{9Rla(+`b}P3Dj`zn0{HmrHo9v)La?{{ z)XN;*i5;Tj%ezGJqdm5`pAU)Z<4=m>>rV+PH%3M6$#HeXqJ86OQG4u=U7HoP&*w$) z#YrL4Po~uo3&TsZHuty70{Ek6?CPH{s1QA5Cc3a}*WdV-UH{YP6rtZM-&TaB-}sIq zsDAuih2e+PjN9hmhHSN3Svpk9O&8{}>Q^9u_h`gQ(vGMbpv<$MAC2tBTPv!wa*lZw zcA;e8NGB99Cs)0P0aApRgCVwN428-S7!3CSdDc0U2sI-7OM;8dF;olQD0 z=S2&>q(n!*p1?BnFQVN$^%KnIF3Z zF9}WWa*7h?6SXD5A*VcZ##hKD6teUNH<3tRk?}b)LwEx!M9$D)F5t|MU~)V25O{xN zRJysBtHnjRTxs7w^IGCST*?&lj017wY7rNgaTp(#yW01KtfS-Fj&+vq$>g5yt1F9= zV8u;IzN$graRgXY@K17acdur=ld#&{?hhe&&Jgw$@o%|O@&X#2!h4CFBW5XgbA|Zi zCT9rDY5{pXF(O}2a||cqn#W~i8ght4u6Kqjcni9K9Y25=Myw@vJ7pYIT7rH#(qTmJ z;FlxXZ;1>kv zzF^$k1TNwqYzYd&fb!oZqGwK!i@dH0ns=DLe^ND0Z2lz@__hBb`ltSY=%0)UrwT~P z|B-H-(!sfSu*WW?ed<8IqZiRHj(wjw*RKir>})_!uKmpijPnn8vhB6ggy{-kN=1zG zzb-I&GkooPXqGR3wZ%Bm5|S~my+-Ii2lRU*#+mqP=v`Uuryer?<3X^!e@rSURt37b z0wi_q${&*MPyL1okmbL`q_t#_rKI&KDzb+N%-bTMg3;P_}plKoNLs*{-|;7 z5o^?i1;JPVGYkrp@F^+b^dGTNcjYUBEw5eWZ4pfdEaZRn%f@qGzN6f2?ZiK!S6)4( zs524c^;SXC_DYxNpKdjdZRMhe#M~^=L!dzPmw^jiyY$CQ^iLBljb}$+P8eqrlpn3V zL9%@KqM|+=F@D_cBa7Jkkf9Ps*cSiQD$k! z*E)@3oed=(Yaf$nM}MHG;}PS%v^_bAO}e~MB^sC=b}VhYzYQiS9%i&lX`ebU#B;Bq zJA43iU&7p>X8CwnV3hfI7!(Nn7BHi0ul*VG z@e{p*8=tJ%YdywGJ+Lp3^JcZ1%r<{c`+{Qwc7OZaKr*nr)wlbM|LXk}X0B>KBmPgE zRv_>ZF+SKKd_(t5Mm@2^_;3&$g2!#`Qrf2u^z*_$qw8Jz3v!50ciHI0aYs1Y%e#!v zb^>l5^tDTApE|&OhH&3vxR36$RTr4_`OzNZg+2ezv`_64kkz$|XB71W?xXhGGTA3H zA=KwX#`Pf(ipQAkQrf2ugt|sTz4@1jg)g1pVoAtm9$CKm6)q{7C{9yw@YcCI*{Npp}%yNBslUrLIPJ(pU4Pfd4|Uh8E<_Pr0~Y@{o?vS=4~Q# z3&@}p6G93X8AtBmjjVA#3$pO|zg|TyS7{}%^H_xtmP=|B7-eQVNf9Ao4^U2@qiON<6W-= zn4X7JgeTuF8*i7v`uu9dE~S0yfY7@n@|nLSQ@v6P5ZMu|A!2MP{^%Lwvw2JQuND4@w1fxvd$Qk zq>Bs7##@KEE<&zyEM0^^fi6xHPq%?5)W!SH3a0KfN$SS8j9b6kNSc&(iAbLNdqo|K z7$5x}M6w!AYJxbvar!w0&Nx1|OTJf5AmTNm_xyP}dHbp?Y|QchlT~Z&1a*;pHi;>FZg- z`kHC(odO&^v)H%YgpZwOKeS9`fWjUVV27sqOtY8J&LG+T{qSxcL^53fVeVS$1^5nN z16uJN8q5s5L09}>tWI@LwzXkLK#iaH^Z+4v?@hL~bz_M=OfrziG;{64)A_-Xm9bQ5 z7T-sP#@gBr695omPi8-nqL(RbUrInZvyva^Pvpn;PL24u zihcNj9ig^+5o{a6->#tvkPqR3zq!4W6LbCbai*^d_8&k@Hh+8e(mQFL>_3YA(<|-p zflh#2vSXy_L2Ets)^>n zj934%zIGBmvR8JX8~C;41ga(EXBGcn!uBQXnwdu~7ee4W2_8jf@<0LfN&NciBZ2T9 zeNg|UiT0hWCDYph`V7`b?+Uh)Q%e3z_Q|#HoEb}vEQ}9k7SYzkPanbi@-s9voXlvhh8z7sqQE?9(a6oSE5!@V@f&t^j?HJTxD3e)!m# zB7TUfm_OwCxQgv;KAt%^He4D{buWWG77mUkOUPy|P@bMCKY3t1GtI%_&K%4?oCg^H zs4rr|J${pj-{Y_3AJYfhhv)OcKg@$$VEzpDk4zu7_aGIEzVO|?16`~7`(Q7&(|88^ zr(ph@&kxdaX6A;fZEY*Go(TQ*J~@SMN%r4@>&c$|Fz@u_aQzs@^(2Guy|@UN&)~-Z z_3ywU>1Pk}vn8>*JiSvS4`LY{E`cly`Tp)?b`*&0BYuO&ueq`fhPJBZoo$lBgQa{0_10W zZUpz6%dn@K_1eRf){D%3Y^M#uU-t->CcK7(BUB5Ly;#@K?1Vihvi~b&ZC)JVv_szgi-U2pj zYa^k=`rNm-LZs0Z*m;8B2UY;SJJ$wN!vM9@{D-AIY=2I&6TdS=ANS=bU5DAb#QYlY z5bLh-CfT>A1Mw4j_CfP;ZV={f9B-rfQVz&25q?4?#*e)IZNqkty=|Krn`t)rf}czL6H-DlP5uN$@IZt>M=6>iSO<^%JUXQXfT$iek&MYD<)wRy!U~BBkR` zNJ_G_uFW#T2t32{ye#Xo%*!$_OS8<&yv*}5FEEV4D2gBm3L_{2!!v>)Fp3}uf}#iv zqu6`z?z{WQJCc%9LY9u-_rCY{z3+YRd*3^cD5D)hi?CVPyiW)SzAZjq$Y*{8AGEjZ zg4WH#I$>Q~vX%8n_7g$|gqC2pZ{6mgv{oz3=PQCw42VAze<<&geQge?^Axp*J8eEB z78b&ciLHQmLDkf}metFlLOxr_hcX32cQLiq3rg~AHJROLF}psem&@u5U<7vG^23k3 z4;W5*4y}i|)`IbpWM$9aU^b9X5-lLV8}SwB%JwZ8!bmO}{*f+}6X@ zfXHW8p_{jrs&YgaVXAxp#O>^ibVhpg@b2#3sJgqOL!aIqRl}*>;Ye3R)jB%D;c&N0 zuMezbl(ZtKCK_KepG}i-oC}EO0&$k^`rCxn4f7>qs$3~$^D{J2%i^*eMpj*DfPos1yOh<9bUCzGD9ue9 zg~ia!eBQl?w|YTIo~=z-y>~&+rwb)VvAi2z4Hb~&h;U>d{J{-u8;~uQbR(O~=GD?t zsHEo#3!sirxl$;ku~##6H4j!aUj(NIUaL5t&z3Ve9XBuG%fgp;0VZqH+g2Zww5>iK zAQFIoYXbPYCE#BZ5UhRQATe)y@kZ#?f8p7*nPV(zXp6^?T5E)|{bsd9G=uB)e~ zhl5i)^^Phy*W8g~YBtJrOwD+>tNFB?WsCUS8u*bf({%n$nSv?aE^KE$WHWGCER-tc z(9BXURLYjg2LKH3A~)AUNUjz@15ur2uTF4qk5QPJGV}%AAjfjSFJAD=aWqjE1}~hn zrtBzl4HAKm%iFcG9?5<}I6KO8_-QTckI(CQtu}CSBZ%6lc%;A(kl%;Dz-z#tZNj!) zEZjBMZ-5p9tYINwhK+;v>TQJ>WE%D&YweOsl44SB1BLY9h^nBv1w<$p=8G%@wQm58=POfMA#Dnp7xNTaC#!}6xo-&HV3rUBTogO!E8zZS<_)!EEQP@9mGU0D zX0R@(RKKeZx2~kr@@6i0f=S-Zb!6FyvcNPiWYcE&V}?~Z5$PcX^5xsDv4E0nS`uooIr_A!GOWOWok5RZ_xYZ{_eCuB|aMjov7&DHZ` zy1^!+OyArLcO9uWz~-vL!l@UrHbc8o;-HXC!X{>+=zLNtgkClFxCR;}{8h!R1U?Lo zT-nMJnO8>4$UD%uIB3ArC3G?LA`FLfa5k+jg~||}WwLoalq-}}@X0k4MQ=E%PJ1<9 z>r!eSA|&GKUBCFQUmiie>Wr8fcwr=r2?FCnqpDvWrd%)khgx=zYkv!VG1ZtTs6>?-oSN!4?zdVR$C}hj+(=0e-5H6eJ^a1r2=fkOM7Mt3ogst>IEfv zwt9)zTGETg(o_XZz9tK}8oa>!v@p%A6kYUyI$y59j=MLlYY>LR2@eewqnEynQPB5l z(1Jk)1n7G-Tpu;2DtaT31kd3(Z}6|ay{<3kDn*czGupEO@oYeTl8z*+r3Ug!g2a4C zE08`gUr9mk*B!pJvL4BP0&vI7q5d1M*t&uNgHm?@N&oOqf)bFBnjwYq-tc_iSaF4iNpvL}SI&s@?ynxU4<9{OV7 z&cLXR!fB)3mzy^{4dKT&dZWlsp_FtX9siF@wY2xn~6#^SUQFAoS0F!S96`1>)q zs6TU?s{5sy?xvUw*@CT>W zp@zw=F}u`!)__f*97@5D+jnlN?w4x5*JbuzWOgcD0HZc9a(EMLh7-7~i4W0|%b^^E zR~npFHDf;IQt}ozjO5W)m*Y*uaXCAaS1a=+Gs5S?#g(E5=647?*vh^S=%q^`*k2(@ zpy{DaLF%T^2-Cb(A@|;ak_P_Wgu$@=ee|Qgi`a< z(|7^{D1IB+;)ant+Ujz=kvN_z!XZ*KPo2D`SBe~%s`2M)N<$N_PA#`!t3u~`d51sE9Mm2$EQDKJtLiY)fRYvZ}BHWx~j z;CiSW%4Ew$6)siUpk2?;z;!Ps`9rgXc}Rr83EHu^ngDF87Z$0l5sn%Gxs?B)hlJMt z&>~(8z>f?mbCB$=sDcK#GZMy_xur@b1c_0jP=?G>TAzkn1|3&JF*4%w-H54**zH%o`Yy+#0jwTRXw*i+qXUvPne^Ft(0vv*zv6sJ z%c!`hAZZ8ThKs*oT~MihmnnfAKhjw(qZ@{KDCJY=cZWTAUm)mI+HjA8F9?TK>h`R9 z33`{kaKr3^6u`>rRk&{RW)TX5tcnzyT)i5NVBI2(m0+dZT(jbdpqY_q2FB5AbjKfT zc*)Npv2Ndk>=vKv^1M0+-Fw}DbHf_kJ_n@+m&P25y7NPtY<4GVX|mY`D@V_DPZ)Gx z6msD9tsPhwIw$)iG513j-+ zV4!C^H*iI_BTWBIE>SqNc&!kmTL`YPPEJ2qFR9NBwG-_yK`al?b+0H_Zb{KBzs;fb z$Q}p1(#PBouPkp+^2*k7gNXfR`Av)cW?&pz&*UU5cdv{iH_SWr2eagzD&$7mi8Poc zmX71QSag^txY{~;CA*0u(9M2-_4RV(9IsX?wSlqur@`)f!Y}hz{C<7 zd^bxhKsS5jy1mc;urfW*^xVLjLpX3)eWK<-Jx;)2r|z>XH^hB#40@a#xd9$0KcL}0 z#c@OE_yk_kJh0hYa>KI?n5Wl)h{NiAN&xO%2MTVGJL(2PUO_V((=JV@?0ju@mJ;F%_adD&Fd~1^cM{E=j|J8Vu)?-IUcwcgk* z#H_~;+J$G>xRad%oTE)n&h$9XZ}mDHo_k1m*aA8IZQ(cr|CM6Xc_Z#XzceT;ThOmP zD*Tv1-xzj4u8%sh9Ul{3U@*^3*cgw0*M2pmTSc4Gn`L3aLUDP)Zhdx1n6z3?{6Khxv3ci5j#!uf)bA+s)-k_unL)jN z+;1~*`vil6s-Zja!HsIER9KuUYZ*u=3NoB&zUs4T<$c0NcxI*OU-j+7qaXECMYylq zC)ou@f@ncoHQE+5fUJi@8J0r}8%+qRBV@>kK=lwJiZ{(Xj9uc&H*&?Kd^2CTX|)3z zTsiu{NIn6Iu3+LDt4e|Rj_TSPzK5$n;hXJ>55CbVx3HQ(m*(xOu*ot8ta~t- zuAMfzUw6jA&9tZJ8&PzgB7d>Vx7#cYpGH|K_hA6a|pVU6eS9?(R%tiG_pL`d0vh6+u9&!F?|HF;{j%S;6GEmetDs{`os zxj-+C(lXhAoVH*V6c!E{tDOzyNw}6#3#yriFcVWwOF*(SIIIz;hfkYWN_Nr^7N8gi zwgvA*3W-Sr#6)< zi4KVPBF*{r^3nCKS82pMgz444@Cy;2e0773$^AYFD-I99i!S)C%f)--4_fc)Z5Q$M zf1+C61ER}5`L`Pz5Os-haie^Eqg#xZ0i!5hKTTr1ytx6!ngXX=o8&v6`yIbRB3>r> zPX47|IOq4tKi=Aa9edX!Q!`)exV=Swe#>WiwL|V=ttAFJedVKOvgALH~TQs+fu1NB4z6i_6E4SpGaRPHcb^-0>4p4<< z^o!rKsjlKxhBIyQ@h^RbcNxSp#KW(i@k4OuldptU!USi%?7f8d@0Ty!@3!9yfL#B}!%aEI8#LNt2v-BD${!J44g&&)Se15ylm*Z%hponJK zED*W;HTjOb!m@nveUkm{zwry-huPg>J4uIz9byp)yt{v5hkWhp;4xWN&UuP@w1FhI ziO9KU$z#5?t8L}=^rv^pzu8F@_2Q}j!ddzdkotrxtqCX^xul^lT zJoQZvidaNc{Bp-dK zs`6TV4u*^3+kfvDcKGDy_Bx~8)zPQFEnj)~F6yJj^Tgt9pt0bSFU6eI=T-6iD@A@o zfn~>Xt-WVin&ZdOv&7 zFH|6Cny~447l}SMA>T^YDH9bx0#u@S>7U8)uYcEGR+78$^Z0k=8wKXh1kj>d!< z_u*Sp@}()@on_jcr>I98Ab*vRKl2mP%bO_&dDS`F#(!It-%R$_ z^4qhp347j3)VZtxQfGjaB)$)%VB7y~-jfuc;~=G(Rf13FZk?LEG+FK5wae>5n z=M|cf_a678QIjtrGG?{et)l#V5xl(nHpJ_O1jxNf_#(&9z9rXcLjkL062f{Ain7S*jj6E6|DWB*PY@;gTxl5>@3 zK_XxN`ICMS)$6v&vl>ji1_ZZ>9|OURPk!mCh6L>-8%>s3CI$Be@(D6e1-3d@(6x|CiWM;?8laJ-=d=I zQ_6}mG6Oi`N({!%DHDp4IG9kBzA~bjMl$^e`{D5*evc?Hc4#q<hF6Q~nKi;P7klS9SypfRnEA5;z_{v$NrrXTMoQBWMz4`?P1 z_@c_rk@j{_1bi5O{lkL_a&Q>_^+mB~4u2&`o-TZ(@%w1}B91rtv&RpBqO4DRKgvV! zgR!Ml=VWm*F}6gV`%#`K5`kG@pTjo4%E&DC6Y6wspqw5@(0CZ}Rnt>Addf`iLVG(2 zIXK#_B?!GTIFf2OAK$_LMU*c#KQZ265I6mYB0wJugXb?y`Y^2!^&1N#y~!r{=LkQ+ z&#U9z;mPstxs<6cn(E2KKzM@GOO&l&V53URNacr$6Ol{>#)P%SKB8AWU&?ShjUfGy z{_^-eLGw@ilKw|fp7uH9w}Ji+_5u*iM`E-xksO*$cE%P`31e0_`8$mL^~c8)?2jR= zH6B?R8G%V_upU(GUqsW2&8ZQilI$EVPDZ*j>A|t3Nx+qAGCoJ+Nnhsp$ml|9e4v<` z>6>WGZ@i!QMJ5xYC3QTEPo_Ufj8!JajdC(F(2+)64#zve9!Lubg2G>qkbx~CeRC)_ zlKGkI3FJu*855nO#Z;u5)+PeHTB=rx6FDY4vDPo5<5=Pl3dL~_)ajPx$) zW4#^dYw%O7D^K5Hq+csfA2u+4I>(BWh-7#c`5}FJ`UB-qH}nr9=tN`y)=+vu%Nx_F z+&~3wL{Vn3pPp*xXQ!t;xISWGJsC5Sj0bStI~)3!SONP@{zr>iZfrK4FcwmXDnayV zRXhAgCeT;Jur)z;(S_gR=wJ6?V;`;8Bs?h!BI#R1{DqOc+kcz;i{rnC;~;PE!S=@f zw~Y7*z4>bp|7ekpur|;ePA$fXUj6l~Xgk4QnErdn&=NNy}!wGg4|U-yn`}?`kX`*cb3e{FuLp)pP>f-q4}O{Oylpzv+MTLklUg zoW3aHtFMoEf#}hCM7xd8;CDh&yI&6@e%F3YpjyP}F>O{MQj_By8FidYN88!hzdnNf zL@F_qN#(i?4a{bA1ej>xUp4GsBzs?;OimhF&Ip_SJhq7VNOXJuSB3{@gF}BBpTp+I zF^t-e_6wE|z~dAj;CIs~F_KXd#J>|C?4NzGy?tj_V|n6p*iZgxaMXacJf9x0{K|nt zFus95h{dDOPyQg)IRyKK0ekn6X;_b@KZqT|{`&r;pT^VrOC@^qu+LS;C;d&v57Kyw zFKImUtDp*PWVzvdCx82cA7ij0+0k@R#b0r4u?d+cC4_@`QV&8?BRqWy7(@GH1j!1}syKcr4r>}0yc zl&!D+;aL(GRT0zh(Nqe`-`9oo9&f^L2k}eeX^&fO0>6{skyH%h@MU$pcU~De1Y3Cn z`|FE?>6`w?*~5@q_Q6#ZGjv=R`C*J7mZ2fs4ojJwsx7Z##p|f5I4)YVXNcyTmgWI$ zr2Qq^=E zCwc3y#{gwGS R-V^rqeck69f&ZiU{{c0)zl;C? literal 0 HcmV?d00001 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/system_file_system_activity.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/system_file_system_activity.parquet new file mode 100644 index 0000000000000000000000000000000000000000..22ced6bea44db065aec179b0b1d118f281287968 GIT binary patch literal 68986 zcmeIb4V+xXbtgLAGe`r7FXL|aDEfIPj(wLk7`l79N4NRe4*fAbBO#4G5YlLpwYI0H z=R=yA9#7AQG|!t=h(Z)rRumpf6pUpo%d$*}Ob9D07%N0e2#>Ie!V)df;}N2@iA)F& zD}-oSqJ95!>ejt=zxwtd?|S$5d;Ob_+qbIDId$q()v2m;POZ(ZPefWGosrH}k#MBx zBTY>oYiep59IaJKwMwmhq&iWZs45L?Vx$F zkr0y)cA6H|rc2W^s47U>8N!d2B$8xir4-;^AGuzl{Q8f-_TTUSXN#I#_*!L3%zP3U zTMRC=OplHW7W`85m$X}e&B|##>1Ju`T@%%9S!9`{;VJ;0n3+Pu-8x$ybWw7Zl@?Q; zZS}vYWoUG)(lSvpNV-21y+5Ss!~&&=y*P-tDRPq};(EZ#kCdiL<>|^)d!aHrT6Qx7r1)}C7l&G9O3ZwseBp@ER)RZ=iHt3y zU@&CFYBP6P-GrjT11(xalkB<<@Uv5+rHP4BdttORUY&3^+;xr&G3N_Gq|vPekxR@yF-$5cK}ho*pcr@bu7>7o#~ErCfAuOrV(hXZpju)6<-cKTyzJw?xoD(R z8>!S<#zt$?O;^m8#%4s9xX>KE(5xK^QTtvt4L^xmK!O}Y@?AaI&m_~GE~YOw5@PaU zAuPDEG&WqF8l4^)=l-}q6x}b!Y&TfDRLdUgBFMAfI$OmU6FgdFiAj~ejZRKir;Zf89bI_p>ezeaMC+wwMKtPjY z?!h!MJ~};JfzB{dny$L2y3Uay=6vBvS?fr(Htjj{1cL*OYa?qV-#!WW@u70Oq*wIM zq%)cLXA+6Z&}Z~yM*mDanM#(*i9|dePrC^JWFw_w4dwEzV)Kll0UQlSkA}4|;(kNW z8pR1dIMniV;r2xK_H6q0O#1d>=k3Mx?S;hc>4K~3AM?o=^Gooq;CQLb;-zZl3x|wq z=n-8uXAG!@Mr-BLSo`S2bY-j^Poo1?=yKC~Piaqh7gU zo^Kacvqgi|@zN+*is9jn5Pq~(R5wq^e)zmQVg|iV>4>Gyq2n0xS9j`w;=A}#}8CSbQYS7gk>^v9UA)u5YfdRP$7v!?f;KGv832b3Z zlq*~OCa55i8%2)h`+Vf{a?JY~P%~H=s!Y^IXDjWKBU8MAMC0B#!oM)7EM)# zSw+Bn_IwCG+Dd9yukt=X-Bb@%rfH5I0<{%va$=|;6~x|bH+p1>dA;flUy zx>3ZAZidlqs(ognHZwqL^npry8H;qMz8WzE#;E>mOheZ*^Eprnk6x}F$lM7#n@84Vne%U0)`%r5UQ zRsrxD#R^W0L`GKOAD!Nj7RH(Yj$bgc)!HlD%VRS%$hFr-s?)TKI66LAtwBS>XkD3Z zpPGTRL_Qw*_$`279P9l|9SE@-T;&0i)+o(k`r8r?HJc}VeI^^Os%)Po)et0!ool)D zZiyZV<44=Y8`lfQ45EFe173uhRdNjKHiDa4#JWsFtP%q1g_NPVlgb-0J!FQvbZMI%zlvU1>F6Rn4#M2zg1nHVgMw%4Xc!BBgpKH|<3^LXb| zi6vAC@O*X@N;Px)WGH$vr1elmJivH^21&_CQW72ku7R1+vFY|&xiT?YZZFMNM+dzc zB;uJZ=Kb2I2G`&;X?S!3+Xd!f<;$Vy%OS0os^AUE7XvDyY!Q9$yx%dZOo_G1CqbP& zcs7OPTJYBYEL9e^!00AG>z&_TM!J$vr_X^@Cegt38B|IPK0&#B8sjR=8l{P8-(^J* z*hZ0~og9ZXE3m&cg{=!rStYFA9G&DETXM|))mE2SYYpo^I$Pu3pq|y#hhY~T8ky+h zqNG)(#LOqkXYP*0S_fz3{<_Ux!Cg)_A*irG$EwIG*%vhsO&}^bJ1JNHT8J=skRnrJt@4TTS){Zw*W@OV zMTg97mD5cK);k_M9A}6QQE+kRI!A_>^MxQ#HtRKIY#8E9-^X?(7?_VW}CAB}ue z4$zALx0hC1?n!Hrcpo$V+X&FF00Gsh#fEwzmuKPVd~{xm)0pZiZEu+}fy2k$GBPFB zDxWBy*)k5y&66(6I$6vDpqrqqcP!$L9W$JSK-sNK!2o6Zp>Pmj6naNB&d#{82SsrI7LT5ZNy0KOH9z7^6o(iq|ov@SkW zQCUTO;~)H1Q8FdgDxUy)J@pdJ05zx`fMem?)nVq z>7hpYY(ObPI0JGu(n{B&=7TWJ8^vPRS4;!&G)fKTg>WQ%3;r|-=Ydct79!;(6lrSv zRMVn1pVql@w6YB1XNKojrU22~bo!h0D zt&Mqa#6IsakFKnZ4#Rj5-WFHWxy9%Zj4h@s%8qF`TIY1lvHdnt867i*EgHb^3mF}S zkh)C>mip(7)k(8)b^-Olx!cxCStyR`?%ao^0*&D?@Pm$k;~;1f?NcSFK{RZ8+Ugxc{W{Ko=xQQWUKyh+u6v@&`+D}SbGrBs23f@cpS*=Z@Bj^!It-MWoi<~iPKJJ zgO=!}EAXSe6Q()+e-Dm806!V|q!d5ebGdtB+eCG4q8X2?3uHfRZ|KEFdaN0#|ARPc z^Id3(J`%!@b_X%lfgRNIs#6>)fg1kErN4`IWdlIw#eb(v7+TR~$%NC@0mpeE{IFTR zwfhijm1L-U6Y?EvPl|qb=YRFn?_^4>RX!06b0yjMSYA)%lb|gmx{1zu=OlW)FVQk3 z)+(PqB+=Jl4Ld5fa=lbl3Eje@n;5NkOt-@zyEZd5OGbNRP=m2phLcH^{<|mKm|xDA zZ;Ghvf|ZABYS=P|Ryr{=K42^(gc-9i(f%-WpbuRexmK=|sN1i{XrHD|tiS>mMZ&2k(#M6})38^O@cMK(JEQ8IC{bD#!@gF;3ZZgu z+D)iTQFo{nLLJIHtBF4L&2C7(``-@Tb=8h?)h(n~@avfPM_e{_S1;}@=EYxi%G&U< zR8>15dlR+*@ZAtn7iU`NZH)gmj@(q`C!!PVCe~*I1Jv%-Wg@Pp%8Ip1rW9|$B_^;G zujc}DHC#2nZJ|I6jnV<$3`K_I#7+h-<*Djqd#zd?t>P?tNBc~fPP$5iHCk4bt5bAv z3@g=f*dXDTmlgJz{{|O;*i!%EfbE=EjnQtm$Dkp_&C?B~C3*#aw{Sp#v#4QWl1L_OMpBth_l}vJAJ^L9h=vJ*VrNUUVieRkTVTge z9!M?GXTtc=_Ay&NBsJj9RAfqWhb#(kv;(eG2HUHXI2st8C!_VrWk`V2&O~jp3fnw7 z{Dt)gR%K(zH&L1;OFgKOw_pcD*h+PVZ(3F_e=OpO23TkUYK}G0IMV#P*afkyrj9f! zH&;PBp9N{dign8(xVn(H%U)vEho%nP!sN7y{wOv#hBcL4;G5*mK*Q~7nhcqCIA8)W zD)Ww_+1jUPMYEN8z(7j{tT)8_%srLL+PUWygkjodk z;<>JPu^5MCaV`&w&#pvQ2X+NIGReGN$m+$6-qEG&DA}3Dwm_ycxjf&gXAAMXo=g_A z`6N6^bD6H?dS@z`&&6*-)jJdEOtJ$7I+u5Lc61i=%M*ooGK=(hrXwBi%5^5XGMSW) z-eDgoZ)&t;Y-i}FT~X>Z`1RN$*zVEZ-a!Xiq6Ze?N88y<+V1~ewa0kF-g06^O*$w= z3rHuDZ-Ftkeql@f|s zP_DqL`D*MzkQ>Dho+wj2(L*0sqnLX}*6tDIGk1Hugu-Wvr*ibMAnBgaL7BrwW^jrW z=vw=96?)cm`_L2zMnXQ-g5aZGx!_gpQI@FiU5}DjFGi@G>deHnCElvxj2B2hL?9C5 zm)!5T8i>2|Yhka);9cClT1kwlUmB;_>=Ggd%k4BNsE{0BL7zw0NToZ~BhyT|vynw@ zP$?mrLAe^Ps&5ww!q6xk;EmEnXiB1wtI=9zO3Zwsd}bGMYQw64`E(UGMBRj~V)1Fc za!4h=n(KCj z)wgp70c{jD*x_)S8>}Vgx+|Z5yZaDpR_0$_&Sz_*2^=j2x9v|E?Haa09EvOE2 zjX?&{%82rhp+|h870Q%Yt9%kv87iZL*Y(a(WO)mcZo;(Qv3lq*UlbO;E*>rt?_o~5+R}tb21gok? zGhW8%kBu7+)#%#E(iC<&$t{OmM=aICI;pV0*g5iff{Tv}ajQ&;nNO6@oO|AY~KE0dpy16P-Vy*H?&}VeNM(C?yE0e8Hf5{9dDq&erbrZhzj=Q46 zxOr8TLN(om_zq+-?GU~tYHG~(ZNXeMl}FX;xgLDb@}vU;*GM?zX%`OwJn%(~4VZ|<^?1H&wI_W>r9DSl$L*zr~ z+?PSX#D&Rc=Y#_!U3{y)}Zg=;ncfOd<`vtSfI7kRb&xY`$ zttBq`!1l+9+Ig&3I!g(g!)~VBfLV4TsFYAef^sdC55AgF5TZuO0gDtRL(X)r-W4>P zHZaOv{_5omkuOL|y%~&LK!mAQ?yTg&)IC&6S#7~ZsO zM(|T6iH<3L$|Rs+Xs;Vlkm;`y40*SG(dVV9c^_JYqwg)kkA|2N=o3Hv8vZZAWPAUm zGlUJR?&@)gWDC8G@!y|V!`RM3!qIy}_%TdiRBUz%$;pjAE(%*^O3ZvhHirlqqs>A^ z$axwPMoecbtg{=jZjzu9gNk^l5zF_-=bilgJ$4ev; zgriYPz#W$}Qw{OD;6gEiIBjgYgAhkE>El=UO`0+#)+(O_(S{h;Z?SqiG!mQzST|8v?|8a&?9g=2U?ha4cP!~W>>4jTeTZo&G&+_lu|De!3ET2Q_VrBmXq`-Q&=xy(aIleM;Gj~1OF_AO zTc?pzk|5xXl7NPCgpw#!u~S*O11{9HTPuSzt~R^Qks;=M;ajh(DhP-@wxu*UD8dq{ z*P#Rh1*HyKg6>LnYIxK=1}-)dV)DU8k+HPpQBbw^YDIKZHaBcB_bODw0yj($f1KLfb>zkl}Sh1<8w4Lkw*bSv;%KzpsKeywi&))$O>~=q`G9}h3 z^MV|rSGB3RN<<#pF4iUf4SaRE$~MUGkhEfw*$r#l_%Ny%)TuO}9?EtLY3KtP(^Y^V!m%G;uJU$Yr8LvNb&{eB+SRmc?ddVccN>X@ZsX$S zVm6c<6!GoVefS{Qc9wnYNw1lc3A4bGhicX1qEG_g8OUatXu)M(y*Up(&!kYslK%_mC;s z%^QY*kSxLJqa-^o=xU2O-zb^Q+p+*lUZ$laU-o5CZI^!=ltPZY;|c9RW|Vv%l*wq5 z7v5}fUqRI7aR-rt%yuzQoBd`WCEMbHxG?}U8Ba>0{YsrS$DKM#M(52qXtc8Pb{(^( z93nI5Qkynbq#C&U#suqk!wb5I&($qT1$=KlY4gAOL@Dlhxk#J$?IKDsaUnv$ts({| zf^P0mz?!af5G6UvD9NsiF3?|{cUCCb%^M*A?GEm(w*D&W5O7_CtV2LH1#7))3)<@5 zTc7}8+Ja*L8?*&wQ^0zK-f#1ay{{JXhg+|#X?Q=OE1DgXQ&f+x2;~}T?rF9i$};?&zDLO z?+~+XJ~3vMf@Y{!3{o-@tdh)J3ksMjxfU1-)|_(eu}?8S+QOPD_|52|AWsG#RgxQs z+1b`e&`t%U8AlTsrJJ#uEJI!*Sw1Ss&M1|b&mFNRmCR=RN5GQdA=PB5aU)qiD#@Pl z6ft#r1xi$knGp&Bwa+~(*}@G%`%!}kDo~8Ter+-?pps;6kpY3+>r#@vqU2#fgtG6B zx@XD@i(ybuI71ABvMIC(umKUmrmMH+taA9Dfj3%Ze3$g=ZY)P^M zvMFFgG@ON$7goqC%ok?(DkXzG`V_jcEs~Uy(RWm?6LJZorGJzp1-4)OBB-xEF^81G zfpKxLkh#p@J$VHk#f8Cw!SpFI1>AHk@$TzpFcBonSR)EpGiC>pWk?St**DMzbacO{ z7)o&pNzumfEtHq0ehiczs8W1e~50zx$&_@Cy-2O}fk$uOr7jdfuxttkd5|m9L zM(v!&jHzzCcsgy-8rH*?OM$AoIknmRoRmylqaY69k_3q+?h-kSOa`# zB-Vgz3RZ8A6ey{lt|dxArYFc1!=NW9n*!GDO@UtTa*a?5n7#;Ln{-uBk_{&VC`Hm6 z!Q`mPWp9R)H9m$|{8hl2rtByqE!~x5hy6GP8>fM?g#!#q)d{jzt^95N98O;}zO#$m~<7f{#fd(c&c4eC;@-!~ktSX;cx&b3P!Dk7}}12$3uw)nuuFBUwHg$;+bsk-Z^u zt7uymJ=q-TH69OM5m|3M9$OsgHy&TSGBRa6zJIlu;mEa-3FGZ+*PCxI-57ZxY`i|- z78x=g?^_nxYCL}M@yM+4`1;RA28_pxKW7s0?x)ORkKAP9xc}w|u745~@4n5Vet$B8 zQ(N)=)pX<``Fto7fs2NCfB17IeP@5(tjpn?`SxU&1^lHI5jYNsf{(AZ-aoM}@=M0+ z0~^f8CpTF+_WeSnXymx?i{|6bEoSBe16JleLy?U}=4VDsj=Z|f%CUPgf^f`&kfXK8 z7mUZ(XCtr5*XQOVpEX{e{gPGpT{}aOdE@;D_k<#_gcV@k`qhwG=d-&*7Oqo!LMGGC z?X@x;{moG1DYNtgR>D2MWj!DH?U30_XTD;+KmS$h`4QY@caH@0&Os~Tz&Ast5FGzj zD6-NZ_0YGiJU{rIkjcXbzN3(R^7oZ5uYNZaff=o+>BXn4;valp$@TIdg(4{<)06)p zWH!Ppe{6AJ&+{R(`CfS;WHI)IQz1+8o_QHxnhj9*zZ#1CE93dTzY0ahjOXL$EIJPU z(0YFAd?<3iBzEUpp~&Zr0w4UHmFd(w*7L5vw`jWOA3~9wMDUMFWcbYr{d*D$E>iNgQib#AXY)bgKCzKLrk69&N`vWE6()YubU?2M< zCFSTJhs_Rk=})ZU$6g4V;`P{z*8A5^g-!OKMr>(01RnZNVQbX-3+w$WuY^sJ-ScWV z@{ktT1zx90nfo8KOUHUBr(wVPVg`Ya0B%CagcY3)#!Ztmik68_&3W@q-hg zo+YKJsp{O8T6qK(cafVAAMR64vBl%?$t(?5KGn2}LhSLoMZzdVzG^|X7P_RTDUAnm zwT)aWGP1d_%tp{!$dp&UpmNeYQ{-QQWB19@gt$LS&1QEVB0PqV2>gH+t@T2%P8*9i?oQUT{$pXt!=@z+mck|xehGZHeH?EGB{eJTPMNw2*J5-a%4x1e0jHw zR7QtKrUis0FbaiXW4S_iRj6cK%g2dBIEUryGu5PPtRzPv<3@QkvvOU#`r5qM+;|DX z&FdH=9~HF8%MPq8bdwU@!VcndV#X~UMUVDl{aNSIx_+Bpt*yrIm$@(gj9p2IEo)`HB$O zoJ<4}4l{C@y9v3i8(kJQ(xa-@O(PhY@m;-dMAphnbQc?UcStg*qV{?KnC;2~FRA_s z%m^ObqF2t)?ndJyXwj${1YM=Qq1lH3n-e3+i4p2LvcyA9h$FUX)gcQgZ^SJ2(Z+70T#LM3Xg7bplFh7PN;VVguc>!jMy%h^MToGLou|Kw>OtYX7pDUi1Q7{q6u z|7@*h1cZxtv$uY$*`aZN_UV{J*JAW^3KwND-#r|dPH-}lheQ)BD*}%#qZ$~8IfpgRTFB!>vY)Ch zojnw=ii?Hk5OWm`F@g)0kAn@S;a?!%aWmU&`^Ctjn%IjsmZdvHm-T%NDsZJlp(aPF6L52E9~vXgx8`f~-qaL5a~NJp(bG>g zN9LQfeJvIeV`arSgd5SxW^G?Hu9Y!N-%T5MKzWOyyzo7&2Ai~ZuUIDC-^5~!VNfKY zgI8$pwIJ%NG>^BQbdPs{d(XFsx?N8CJ!JB;NLu%H^x zN6l*VafA9rTe#31z0j;(x=}mxk!5|C?Tc{vt_Y~ey+>LivFOu(*c>?!ZqiOItydFE z(_+Sn(5C0xv}0}PO@;%5>B#`t2LL-7J^M$ZH!U-p!h=b+%>srl;tAZhOndET79w9y zGR_BZB!Gsw@XyTZ2>JEefM9IGWAB5HYsWsmtk3OQ;o(_<`n|xoUIMOxChg=WEL_G; zhSje{Ag|YdRy*{w%ld4N7@ekCtP`PXX3k`(vE#qbilxxR>&4$1|B_A@~r zfFNq=i=Q)xsGAJ_yC%HDpVQv|ECwWb9%()49`AtSaiEAsAN^AvkY2pQtg|jL7<+@( zo*+w>n7YsYy!PPFW9oK#YJJB*B<)SSaP?foq3 zdIz?y=wm(U9`8WGt4zUjFLGUXb(?jS+_ddlD!uq*mv*Kg+cv-@$Y|SuTp;EGx9zU~ zDBAX&l`d)=Tcu3T#ZdHONPB68cClw!Up<$jx*kWse&6qqs6TP48RsdOhBFESQW;#UFjVIP==hrUl^YU%-bZr8b zr+_6Iee*O9N}9BX?{**YGg%z<4@;Rgn^CrU=U1UY?)b_vP_YMuc#vFKBOA=>5K zP#toVa|PyrxZ8TqkaniBtj}^SQ#{K6{}rz7`7<~kY|@U6)&Z}cPcVF;YCbcfy*~_9 z)8&Qc;g|+|Z!^9}|1+za2gXf&H<`lW;OeW}w0E{jt_FCh8C(s>1uAy^E^&3wD}t+! zebFSN&m==RXyL=dCaDA?tV0+-+U`khR~2Jx9k;ib+fNS2A7(QFFv*zw9PXc%}`uJJyDo<~31h~QQmgvLH_|aaU)gGBK7#`$jCm0^&w1+ys zz;!+cvPeHU@P91BxpKN`(e-UTCd19MC&6wOF}h6b+`RVOJZ?P$lyh9UeXll0K7n10 ze{ELI5+3tRii?X2z0ZD0yXQ;G`s(=o)pPp;+KWv56F_?}h`+Sc+WD~%+s?fhIc%g( zhBO!eX;1%~WqlqlgI;cgz_#xw$>#C@r#Ujzq}{X23z_{ajj@S~0AOOI9la;Ctk2us z(8t>lNRI&N(&&NLnj=%#h`AR?ji4A-4IRgHjFprtSTbqP{Avj5m2^+Eo^+3Qz;=?W zxbLr6y?XdQuPQ3%e~d{Cv9OfV-u^YzkJm{-ZjVAbgK~kMvt0XApogUM$uC<3#aiWo zBU2$3m@v`O_U!=`cCSc>lO*82%k})=bzWjV`5P8jts_g5jj;97j_oBjN;gXDN%wdM z@O!>Pl5*;=nT_Y~SE#m*KpFnQaP(kUg9VxP+&+-qfKz58KAE845GYt0-E*!vau|#| z@$Zxxs^_g{CEt1gvhn~`Qu-WOPrAoDpg6&meB!@wC13t61%r8hYl4R<1s6o}(^TQow(k;UE10Zvz~8SRvm! zRW|8|$)5J;SBQS;ZE8K~9`6AE-p5G>cK?vs^V9(azU`FSL;*`c?dh))3TdZmJ?S3r zfZ_n7cut@=_;rOvS6Qdtj6mFK1Or3u<*$K1o}RAW{;xoD3}}`{cfG-D>XYA4YT`Ua zH!B0{MeW&xR2k_gYdz^6?||hrSLOn+U|VhHVWl$IQAIp?vgsky8^$4ayI>coojZj3 z*nDm6p0|K}o*_T}H@x3<&k+lTMkXyFk){}19hgyC$)gJmCRKv?p*wc9!h#zOf7l0U=_L;{65j!+P*q>@gjsho720>oMVloKI1*)D0 zRZF9<{zyy)yZ(J3SuJEt!MqTY6ii{YGf$Xw1-K;}bOq!BUFVpt`~FtYb>Vm*U4|_L zQzinN!Y)_4_q(9X-vPRg|1)U#fN41XRx`{+o3t0c2O8|bv!vOIlogv12~$EU15ARo z7oQ>_mCn=FlkV{jm>+zCI>S?c$3lAI4+AUjI1yKx2R6vszVDmO6X1SrG*3V-5O@>> zE{$FUfuuw1J_!n&+CJ5^sLiJrSq3vqTPm8;U=aP;zEB80-hlT!SNQP%%ewA;&-zx_ zaquP<2Qa7BE`fwT%PU-Q5C`sW3-JRUwT@EZ4 z8Owd|u>SMX^A?s7$B;;dp_UntY5=6He8N%Mbbv*;_S&BSxpUiL-|v%zyb5I4cDV4T z9}1aaQN%4G77s8w*LJ=Dbai~)>-oWh3r9fM(&*kFi{-;BfA(Q0Q~R>mtA_!+cJV)g zFh3`HU+;R5bdpJW-~#W~pZd=hMf)3W7@J|0Sh5L&S}?CAdg%)MXt2xIPX9S*+!?w| zAN^b+tEX@Su-=8sgA<8DGL?zv5tm;_On-#kkL&SbS1z6{bQBV)d{?HJ?!r~WMIG_{ zr@~WWa-5-7!TAXHj-1*r!;)fyay&n)c zGGv4Gqy!azaei~=ZH8%S|CPo}o!B0hd<8L4^z9Av}gGGR}Gazkg z^c9eXW3m%(S)}#V?eaF+4M*v6G5E-6XZ{w1P}~U)I|1Eo}b>yEc+ID+LsN|^UxpGVNP#8ZNoUpWA{|%J7LxsfZgcboY_Z%Z) z?)z`ek!dVVemQJzH8xHQSt9aW_)IwZOjv^tnD*d*2Q7|}BZ5CckxD?)!%Wg8kVLxo z{(CK&jx@?2#Y)%QWL*>$$I@_1(_Z?OFg99mS~fjZny5`yrx4$Dv^vo~SeZtYZQOG@ zQJUQmi5Ke5Jo@2^|*HOw<}Cz|$s;ToqM-3@{e zeI$Asuw$?|`?r8~0bnu3^Jq+-`hpO-VF46J2pySv+i;f--I(*E+;6kV!{|!QW)V1KRsa^OA_`o)12)7dx@ppjg1?Kh(J6mY4=gqHK zjU32r=L{;5!68&Td4QT+M(?p^Q{Ceoh&abY?EK{xlK7_&TGe$*8eP0>pUU8Jsy+X8 zR87PK!c<0KfdKP;hIs-o=`i?E08DcV+Zl@D-~`UA+VO7?!;FAjW@IivzW+G&i+2DS zCa!OPt3G7M6b4UN?U`=^Fi&AYk%q(&9h3_sJqnVRMjySWg{QDL9<`d$i-WE~3NE?Y z`EOH`Np0JD^1jBNRD+<&!)9|Jc$BO-anNkVO3 z<=Q^DtA&i9PCecrZnKGn)#W?i32Vo`1Ket~C0np1V0w>hx$9S3A}gD;Lr*q_$v-rT1{TB1zb%J-)imXF=~1l?a6xbzDhWH z1ejyd5ANlrf8=`>Q@mu&e>)7G+}efXCSL-AMHzev$OXPU!+d$_*92d7{b7Cbq>~EI zlj0~7PUYI;-v?dZ!KZv;QUUW>#(aKv3ms)%JZT};?Gu+nKH#^mz3`0WLr{<^!H1w+ zpypks=IpNvJ{)?^mmJgCgLxoqE8sq_oqrZIxr1JL#K9tIe2QdZ_rGl+L*CQR1DT;L zIqL4c{)UIX_R^n_5X#tD)|2k>4hRo3!Z(4Cj#K{Bw|1825Lb^*J`e*yyY~fD&IraO zgK`1t35I%P56^~|Ui7bq>Um`9SO_Sf?L;A~2U$-(ed!D%d<_Uujfelts)nO4IXs)J zft1$82wtE)c?uO$?(dGi&5$4dGH!Nh(hmN)Rh9aXZD%@&grFTdO%;++#;hmZ;~hA7 z@ApU$o&#D`Xz$Bbg&d=jvqD~%VI%m0_JfyDFGu_`XFM~YJ-}#p?QMx{#FTKxs%;}^ zZFgLM@E2k2^j}b&Wjr+NN%wdM$j1HfYYRi^xaS%1E3|jd0_A0dal4!-Zm7;1sLs;p8>r5`VHnt)TUdRJ z1+To286h~dhyEJ%@reoN7ZMJ1?0lN&c$FPprAKIB8fC|?1g5t)B zVLd1pD13-1Ja@ks)*pHkBziAPy*ij{_D4(-?cpCSXvBIF1jM5I9$;aA?(GG!$nN#X zt1BmodV@AKx5i-VL`0(S>Gadi?;X2#6THd&wA25 z-jS>`1NT433_SO~#lYQmHNmR^y_dW45?Tb0(cb!daPj}YhZa{LgVmR~#m|7%;?u1Jf!{LS5aXe(}IF2iZLxH z7l?Zv#4U}!4&rDjvu97E)Y&yxVQGMHNZKR!fkglKjbv%y6TT6|oMU44ex-$XJKx)D zHD7&Jd26-^$fRBTGBuS90ckzy9`8WF2i#Qq9_FTc_BSnN7^*Z!1F#f8(r6LtNqd1j za*bG$GNvS;J#d1A@f4t8f9L4`=>yGFLI@gyMQKmoPtcqfnnoXEXuH13(BAlW-q2K6 zCt;+6kW<=$2LRD4P^D+|N>KhR<9Z6XV5IZRZ+qi%OuC3?rQQEqK*RzX6w6WwXizSY z@+wGK8a;GC2&}H zwo5zpRayU_sG6ewLAg->y?;pc-}i{9|6||qCQEV3=c!#7Eh2cB_QBUdk~2)FD{dzc z9RZ?P^u*U&$o2U2H!VDd8t=Ly&-Czj-gJpLW!mXOKq~`(nh`*O<{3t_{~+(+9X+xT zG>#i85duxSa2ROZfkQoFi30U2jQS;@#zOh*qYFSSBNH%h=^9FeT+=Ro8@SD@D5LK% z^e4Z8n^2py`+pbEeilM+Y zr87kYk<;EkikfmD)foQ;jz<{B{zE*`9(}^XVT{x+Y4Nz|5i#ksUB3s=ju5Od$9JGR z&gh;4I;=5YdlKl3LBJ24&;5-EeW$(t`@~Hd(A9dCKJX-56^l6?=gw?)E}I|DuB2D^pUvj@J-*_5 zHoJnp;g$T4FH|(QZ3X__neWPG*UX_*eq9g#mU30RT(=47@glyj&22{BIeahNT}1wg z+}+u1_wYt~N#8RBYxO$3%&#co<0V;t5AP_P4IJN!Z%9!=NX`t|L$x78JM44lz+`S zl+CBID7KAW7v~68mA>DcC5j1Nelx+_PVjc%s}27g)tg{u%k-y<@iF{4%761b>gUbB z4QmP>{3C|urU#PiC;P|8#`=qycxh8&j6koX{M+sI$*p64P;$0N>2pLyuGZgOoa;-j zpUHO34+B30!yu9#vhg_anMEnP4)hmDP_k3>r$F@;{JERpb#QrZZ>}VzX74unneFCu z$Zs~gIhmOm>>iux-;`#l_#)HG@XY)LZge3l-Bf5LmtU8Ktdca7=m|j@X6_sE!mLH^ zTy{IdBW%>@0Kuf=JF^`Btxuj<)7?8e(6Mq`X;XS+uzTZtHn(*I{P3?&meYF(3hI*> zm{`A~0v4svih^{L-#GO&KXa7Mba(ecUa1d29@q5LZLdv~K1c1D+t%OLyOj&Eyya>G z$zISqHaj4y%l%=Xd;Lhcn3+SLm>)={vb6yCRfbPZpBo$4RGb_rW=8tE*F%B}<@)t0 ztfq7ph3?)R{hQX0fe(|LH*Fsp+%!g&Tb-Kq>CfHsqaOX4`H6l!*S|3{*^fr1@^$!G zqjU_77>_n0e{Q&b{@glB=b@#0{VdlNd>dV}sxJR4lrH!muk_`(k7ZXCKz|+ixRcX) zC>t0rPWN+n6rzgpZmi7hRoF)Kh$K^9dV5(wYSheK1OP^u=(NL-`Rv^}WXn*eTs?=R ze3`OtrtbxUU5FDeAn*7Twt~J|3PTGE1v7~gdbjiVNBtpxH@)ts?<)yEY&r2+Pk&gx zvT-WEdCgkzhhNH0l+BJ1)rBmj3;HRYt1AXMmWN^-GBE`CH0qzld8W5OC5pOF)l z8K-)5(|8B&;CqIuCisy}gB7dRYydyF0j=?BHStdjNlbsfunqE^N~3+nh{Nf~($zaj zIk^p-{LZZ)_=60eGdcNvH>G>?yIAW_W_FbN)>j8a-vNMpjq=ywcbU@j1h88vPv3jD zg8n-EUd`zYdT_j08{EWA!$gZeM0&2exv#g{-v>73HjDutliqFS68gd5nm)hzZDey2 zeWjz2mi*)-R?4@J}#)5{+Df^qP1;{yEN1Se5a8?N;KKzr3&Ebnb9v=ujn;#%Gx1&A+{~ z>nNRv7p{+Jv%A&|`1J35mGZmzL6~}aCoAKke1*$%F0((V`bLS;#rQe1+0aph0+$;v zZQ3sS_nq_Oe)3URgGS+zi4YspzUV)5#NT89{vDq9Qv}MCk8;n-+0Ds~^JTPkk??tr zce!}lcf1>ePP1{MJU$k$nEfxen)26a51rCQ|5M5nD|@z1`0*p@$qy3J+}85=M$%ul z^>wVD95DK1jqBszK2=Jmxu7j>gkT8ee;8yv?nk??sp5I!nEB|>;7y1HpjlLwtAk6=S-=E*P zb(HR}ujDzMl~iTE6g46GxTP>(;#1(aOz$?LclkWg%aw4BZ#`?!lrH%te&kr6=u1LZ zTEpf2`+F~^Tk~74Fj<#BSx)Eif%Pe-ESu^?Q~UELTcva!AG*^cQhs>+>n?5;dhWXH z0M*B{e-u_zd4Y@TiQR6I`Bid5#xbDSgfwKj#AS*Em1H6Z|C1*)?11^QV{7 znLvO2EL-lx_~(@8mAryud5)7Vxr5dgy~Ajm{5BGs)l~1bTtAkNJJ(Fzc3Wb@7tvlk z-&p#{ya3Hvx&N&oeAPAc&h=xiP~uFY{i%M+`ms##)AIzMGdbn&HcEHNA2mvDWT1O+ zmd317cS5egvkA&yXMWvI>2th(SIP?nopr~%!W`9)*ONW{BLh7f#n?~v5g#VK)Lon} z(Hac;Kf&Wha_tAqgNTeQC-(y|)<7TL)Vmeyqy-U~o~?in17UnvU+>*Y`R)B< z9V>B0+Y-I`VXEKFYnD6ZGpFhsvxMJl9x8>RJvr#c{gVTjqgfx#&r>7$)3=uDuXCe9 zZ=ByO;8mB`A3rx!x^w)bIvO7qo&JuMvx9v($aijAeR#RMDczc1^D6@Kr%e2cepg$A zU8y?#xk~9S{fy@)L!Zd($gbHi4Ssma^LlCzmppTMYkteIJh0GN{jXy+FRO^Ryq}2m z7(Oh2xdO?9PV&bu-TfcwuKv&CDfS;Gu$MDA*gZ1Mb1MPu@sLN`{uHN+{VAn96|GYJ zXf#s$%LXQs^$%8CdTG6wuTr;|rku3VYV414eeRqGy|-tW^});np8KP%_Zwljl0V)`$wt-oKpiPGn2 zXv|GwEu3IkSXrn~&k9aw`7C#A94(D++&YN;YvPxG{qt2y7y4TNSb3s%lJ*ac{ZV}9 zz2>c(`_^OL7W?<5O@lM|o+uk@L26%r_=P!!Pc5m8Pj{}ZzyH}y>8|mKL|0iq7U#F4 zeR!0%#+O8y`XkpTKg`22eNPbnJE?!>SRbH`HL<^ws}lWVUi1tzXwEsp^l<$r%ZUv3 zJrlEo-6R_Dcd1+d{2ZnGuRp*aqD4j+JB7Ch8eLHoq15>&Yvp^L$i- zt~9ub_C|8+^t$6yE=%dm$exY7w?Pc4tX)-iekoD9qR&qRjMw0gF2H&GW)v@Dy571_l^yYZ>0U?G?(mV{5m~b<7;x5rg5QP z)9c(e(&yIFHjdaoUrpm}2Ne?IEo&9Zc&ih>FB1KA+IO7N=XiaD^91x2?B|MhDcnuv zJ>{#gA?YDsjN07mORD>1^T=OsJeVi`^ZJr>%l_mT_r95ZlUv6l94xq*d3L2V@V(|D-n_FO^bZ`*dWOa8iY zR(s~F8H}gYT*im-5x;Q8T;p{U5|(@6TgCm;!ndYC^-0}~_F*83zPFWu6REi}Jqn_k z{uLPz*}E2n>d3=NN>}ESO#%7u;{1dvM|J}9rA?Wc?1};wJ$2f zv`-(UEA6u_ApbDuC;6fM`1QotY(|P>1m6zjSF`#@Gr*nN!p6rfhaNc9_YXztCcx1J2lGg{kMB{({2jow2ern3xwt-|~q_hdcY;G%5^?Ll|^g8nc!^3%CCQ+t!esM#6cwL;%q6E8? ztvLUypTC>aIX~+{E9dLyU%~0j>QZ+G@-NpMIKNnnr9z$lK11nqR22IU_`5tHe+TEM z_EFAbavLz!)#E3pJNelSASCa}62=O^TS4+71|=Fl`P0k#rm(8x{lpaS-}Ct*@8_?j z?+jU-FK%3msWVlmPfri0Zy*dWdb@BJ|DAC`T{o$~~bNf-R23JCj<0_JG7$;2GyO=S&^b|QS<{EZ{U#b4+6x1P)U- + def convertToMilliseconds(long timestamp) { + if ((long)1e19 - 1 < timestamp) { + throw new IllegalArgumentException("Timestamp format not recognized: " + timestamp); + } else if ((long)1e16 - 1 < timestamp) { + return timestamp / 1000000; // Convert nanoseconds to milliseconds + } else if ((long)1e13 - 1 < timestamp) { + return timestamp / 1000; // Convert microseconds to milliseconds + } else if ((long)1e10 - 1 < timestamp) { + return timestamp; // Already in milliseconds, no conversion needed + } else { + return timestamp * 1000; // Convert seconds to milliseconds + } + } + + def processFields(Map fields) { + for (entry in fields.entrySet()) { + def fieldName = entry.getKey(); + def fieldValue = entry.getValue(); + // Check if the field is a nested object (Map) + if (fieldValue instanceof Map) { + // Recursively process nested objects + processFields((Map) fieldValue); + } else if (fieldName.endsWith('time') || fieldName.endsWith('_time')) { + // If the field name ends with "time" or "_time" and is a number, convert it + if (fieldValue instanceof Number) { + fields[fieldName] = convertToMilliseconds(((Number) fieldValue).longValue()); + } + } + } + return null; + } + processFields(ctx.ocsf); + + - rename: + field: ocsf.resource + target_field: ocsf.resources + tag: rename_resource_to_resources + ignore_missing: true + if : ctx.ocsf?.resources == null + - rename: + field: ocsf.finding_info_list + target_field: ocsf.finding_info + tag: rename_finding_info_list_to_finding_info + ignore_missing: true + if : ctx.ocsf?.finding_info == null - convert: field: ocsf.class_uid tag: convert_class_uid_to_string @@ -28,12 +82,12 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6001','6002','6003','6004','6005','6006','6007'].contains(ctx.ocsf.class_uid) value: event - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['2001'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['2001','2002','2003','2004','2005'].contains(ctx.ocsf.class_uid) value: alert - append: field: event.category @@ -46,7 +100,7 @@ processors: tag: append_vulnerability_into_event_category value: vulnerability allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['2001'].contains(ctx.ocsf.class_uid) && ctx.ocsf.vulnerabilities != null + if: ctx.ocsf?.class_uid != null && ['2001','2002','2003','2004','2005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.vulnerabilities != null - append: field: event.category tag: append_iam_into_event_category @@ -70,7 +124,7 @@ processors: tag: append_network_into_event_category value: network allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['4001','4003','4004','4005','4007','4008','4010'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['4001','4003','4004','4005','4007','4008','4010','4013'].contains(ctx.ocsf.class_uid) - append: field: event.category tag: append_api_into_event_category @@ -82,7 +136,7 @@ processors: tag: append_file_into_event_category value: file allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','4006','4008','4010','4011'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','4006','4008','4010','4011','6006'].contains(ctx.ocsf.class_uid) - append: field: event.category tag: append_email_into_event_category @@ -124,7 +178,7 @@ processors: tag: append_info_into_event_type value: info allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','2003','2004','2005','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6002','6003','6004','6005','6006','6007'].contains(ctx.ocsf.class_uid) - append: field: event.type tag: append_user_into_event_type @@ -148,7 +202,7 @@ processors: tag: append_creation_into_event_type value: creation allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','3001','4006','5002'].contains(ctx.ocsf.class_uid) && ['Create','File Create','Log'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1001','2005','3001','4006','5002'].contains(ctx.ocsf.class_uid) && ['Create','File Create','Log'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_access_into_event_type @@ -166,13 +220,13 @@ processors: tag: append_start_into_event_type value: start allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4007','6002'].contains(ctx.ocsf.class_uid) && ['Launch','Logon','Open','Start'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4013','4007','6002','6007'].contains(ctx.ocsf.class_uid) && ['Launch','Logon','Open','Start','Started','Symmetric Active Exchange','Client Synchronization','Broadcast','Control'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_end_into_event_type value: end allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4007','6002'].contains(ctx.ocsf.class_uid) && ['Terminate','Logoff','Close','Stop'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1007','2005','3002','4001','4007','4013','6002','6007'].contains(ctx.ocsf.class_uid) && ['Terminate','Logoff','Close','Completed','Stop','Symmetric Passive Response','Server Response','Private Use Case','Other'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_denied_into_event_type @@ -190,7 +244,7 @@ processors: tag: append_change_into_event_type value: change allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','4006','4010'].contains(ctx.ocsf.class_uid) && ['Update','File Supersede','File Overwrite','Update','Rename'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1001','2005','4006','4010'].contains(ctx.ocsf.class_uid) && ['Update','File Supersede','File Overwrite','Update','Rename'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_connection_into_event_type @@ -202,13 +256,13 @@ processors: tag: append_installation_into_event_type value: installation allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['6002'].contains(ctx.ocsf.class_uid) && ['Install'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['6002','5004'].contains(ctx.ocsf.class_uid) && ['Install','Log','Collect'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_error_into_event_type value: error allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['6004'].contains(ctx.ocsf.class_uid) && ['Access Error'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['6004','6007'].contains(ctx.ocsf.class_uid) && ['Access Error','Error'].contains(ctx.ocsf.activity_name) - set: field: cloud.account.id tag: set_cloud_account_uid @@ -363,6 +417,11 @@ processors: tag: convert_cloud_account_type_id_to_string type: string ignore_missing: true + - convert: + field: ocsf.resource.owner.type_id + tag: convert_resource_owner_type_id_to_string + type: string + ignore_missing: true - convert: field: ocsf.count tag: convert_count_to_long @@ -588,17 +647,6 @@ processors: tag: convert_type_id_to_string type: string ignore_missing: true - - script: - lang: painless - tag: script_to_map_observables_into_key_value_pair - description: Map observables into key value pair. - if: ctx.ocsf?.observables != null && ctx.ocsf.observables instanceof List - source: > - for (int i = 0; i < ctx.ocsf.observables.length; ++i) { - if (ctx['ocsf']['observables'][i]['value'] != null) { - ctx.ocsf.observables[i][ctx['ocsf']['observables'][i]['name']] = ctx['ocsf']['observables'][i]['value']; - } - } - convert: field: ocsf.severity_id tag: convert_severity_id_to_long @@ -699,37 +747,37 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "pipeline_object_actor" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5019','6001','6002','6003','6004','6005','6006','6007'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null tag: pipeline_object_actor ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_attack" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012'].contains(ctx.ocsf.class_uid) && ctx.ocsf.attacks != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.attacks != null tag: pipeline_object_attack ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_network_connection_info" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.connection_info != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013','6006'].contains(ctx.ocsf.class_uid) && ctx.ocsf.connection_info != null tag: pipeline_object_network_connection_info ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_device" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','5001','5002','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','4013','5001','5002','5004','5019','6001','6002','6004','6007'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null tag: pipeline_object_device ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_http_request" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','4002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.http_request != null + if: ctx.ocsf?.class_uid != null && ['3001','3002','4002','6003','6004','6005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.http_request != null tag: pipeline_object_http_request ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_malware" }}' - if: ctx.ocsf?.class_uid != null && ['2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012'].contains(ctx.ocsf.class_uid) && ctx.ocsf.malware != null + if: ctx.ocsf?.class_uid != null && ['2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.malware != null tag: pipeline_object_malware ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_network_endpoint" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','6001','6003','6004'].contains(ctx.ocsf.class_uid) && (ctx.ocsf.dst_endpoint != null || ctx.ocsf.src_endpoint != null) + if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4013','6001','6003','6004','6005','6006'].contains(ctx.ocsf.class_uid) && (ctx.ocsf.dst_endpoint != null || ctx.ocsf.src_endpoint != null) tag: pipeline_object_network_endpoint ignore_missing_pipeline: true - pipeline: @@ -739,27 +787,27 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_proxy" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.proxy != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.proxy != null tag: pipeline_object_proxy ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_tls" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.tls != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.tls != null tag: pipeline_object_tls ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_traffic" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.traffic != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.traffic != null tag: pipeline_object_traffic ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_user" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','3006'].contains(ctx.ocsf.class_uid) && ctx.ocsf.user != null + if: ctx.ocsf?.class_uid != null && ['2005','3001','3002','3003','3005','3006','5003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.user != null tag: pipeline_object_user ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_file" }}' - if: ctx.ocsf?.class_uid != null && ['1001','4006','4010','4011'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','4006','4010','4011','6006'].contains(ctx.ocsf.class_uid) tag: pipeline_object_file ignore_missing_pipeline: true - pipeline: @@ -994,6 +1042,10 @@ processors: tag: remove_duplicate_custom_fields_from_malware_cves_array ignore_missing: true if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: aws + tag: remove_aws_fields + ignore_missing: true - remove: field: - ocsf.time diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml index 741c5a785be5..d7e402a1eca6 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing API Activity category. -# API Activity class docs: https://schema.ocsf.io/1.0.0/categories/application?extensions= +# API Activity class docs: https://schema.ocsf.io/1.1.0/categories/application?extensions= processors: - foreach: field: ocsf.resources diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml index d9322ab19053..6f6446831165 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing API Activity category. -# API Activity class docs: https://schema.ocsf.io/1.0.0/categories/discovery?extensions= +# API Activity class docs: https://schema.ocsf.io/1.1.0/categories/discovery?extensions= processors: - set: field: rule.category diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml index 347f06373c0f..9f996b89124d 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Findings category. -# Security Findings Class docs: https://schema.ocsf.io/1.0.0/categories/findings?extensions= +# Security Findings Class docs: https://schema.ocsf.io/1.1.0/categories/findings?extensions= processors: - set: field: event.reference diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml index da114b33d82f..ed1002cecc49 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Identity & Access Management category. -# Category docs: https://schema.ocsf.io/1.0.0/categories/iam?extensions= +# Category docs: https://schema.ocsf.io/1.1.0/categories/iam?extensions= processors: - set: field: user.changes.domain diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml index 69a0cd4574bb..10b22390f97c 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Activity category. -# Network Activity Class docs: https://schema.ocsf.io/1.0.0/categories/network?extensions= +# Network Activity Class docs: https://schema.ocsf.io/1.1.0/categories/network?extensions= processors: - convert: field: ocsf.disposition_id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml index 8c1ab02ed585..210eaf1ce6d7 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing System Activity category. -# System Activity Class docs: https://schema.ocsf.io/1.0.0/categories/system?extensions= +# System Activity Class docs: https://schema.ocsf.io/1.1.0/categories/system?extensions= processors: - convert: field: ocsf.access_mask diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml index 3b2580319b47..48c4e8a85195 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Actor object. -# Actor object docs: https://schema.ocsf.io/1.0.0/objects/actor?extensions= +# Actor object docs: https://schema.ocsf.io/1.1.0/objects/actor?extensions= processors: - set: field: container.id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml index c760fd60a50f..20fe17297f75 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Attack object. -# Attack object docs: https://schema.ocsf.io/1.0.0/objects/attack?extensions= +# Attack object docs: https://schema.ocsf.io/1.1.0/objects/attack?extensions= processors: - foreach: field: ocsf.attacks diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml index e1622502ef5a..a949ab475f0c 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Device object. -# Device object docs: https://schema.ocsf.io/1.0.0/objects/device?extensions= +# Device object docs: https://schema.ocsf.io/1.1.0/objects/device?extensions= processors: - set: field: host.domain diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml index 75160a3ea7e3..4c27525a4054 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing File object. -# File object docs: https://schema.ocsf.io/1.0.0/objects/file?extensions= +# File object docs: https://schema.ocsf.io/1.1.0/objects/file?extensions= processors: - remove: field: diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml index 5bed93443394..45a5567db1f7 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Http Request object. -# Http Request object docs: https://schema.ocsf.io/1.0.0/objects/http_request?extensions= +# Http Request object docs: https://schema.ocsf.io/1.1.0/objects/http_request?extensions= processors: - set: field: http.request.id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml index 653e91bfe751..12cc9ecf0889 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Malware object. -# Malware object docs: https://schema.ocsf.io/1.0.0/objects/malware?extensions= +# Malware object docs: https://schema.ocsf.io/1.1.0/objects/malware?extensions= processors: - foreach: field: ocsf.malware diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml index a5cde447b830..18513e4098da 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Connection object. -# Network Connection object docs: https://schema.ocsf.io/1.0.0/objects/network_connection_info?extensions= +# Network Connection object docs: https://schema.ocsf.io/1.1.0/objects/network_connection_info?extensions= processors: - convert: field: ocsf.connection_info.boundary_id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml index cb532f58e68c..320c91d35647 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Endpoint object. -# Network Endpoint object docs: https://schema.ocsf.io/1.0.0/objects/network_endpoint?extensions= +# Network Endpoint object docs: https://schema.ocsf.io/1.1.0/objects/network_endpoint?extensions= processors: - append: field: source.domain diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml index e9ae423f1214..49595bf8ced8 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Process object. -# Process object docs: https://schema.ocsf.io/1.0.0/objects/process?extensions= +# Process object docs: https://schema.ocsf.io/1.1.0/objects/process?extensions= processors: - set: field: container.id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml index ec49777db755..95606ecbda51 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Proxy object. -# Network Proxy object docs: https://schema.ocsf.io/1.0.0/objects/network_proxy?extensions= +# Network Proxy object docs: https://schema.ocsf.io/1.1.0/objects/network_proxy?extensions= processors: - convert: field: ocsf.proxy.location.is_on_premises diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml index e6e49674c9b7..163eaf0921bf 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing System Activity helper category. -# System Activity Class docs: https://schema.ocsf.io/1.0.0/categories/system?extensions= +# System Activity Class docs: https://schema.ocsf.io/1.1.0/categories/system?extensions= processors: - remove: field: diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml index fb0b272afaa1..61409c7f1d33 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing TLS object. -# TLS object docs: https://schema.ocsf.io/1.0.0/objects/tls?extensions= +# TLS object docs: https://schema.ocsf.io/1.1.0/objects/tls?extensions= processors: - set: field: tls.cipher diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml index 2629b54fb14b..1b2ab5343f1a 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Traffic object. -# Network Traffic object docs: https://schema.ocsf.io/1.0.0/objects/network_traffic?extensions= +# Network Traffic object docs: https://schema.ocsf.io/1.1.0/objects/network_traffic?extensions= processors: - convert: field: ocsf.traffic.bytes_in diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml index c51d99a351a7..803acf7a1956 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing User object. -# User object docs: https://schema.ocsf.io/1.0.0/objects/user?extensions= +# User object docs: https://schema.ocsf.io/1.1.0/objects/user?extensions= processors: - set: field: user.target.domain @@ -87,6 +87,38 @@ processors: value: '{{{ocsf.user.uid_alt}}}' allow_duplicates: false if: ctx.ocsf?.user?.uid_alt != null + - foreach: + field: ocsf.user.ldap_person.email_addrs + if: ctx.ocsf?.user?.ldap_person?.email_addrs instanceof List + ignore_failure: true + processor: + append: + field: user.ldap_person.email_addrs + tag: append_user_ldap_person_email_addrs + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + - foreach: + field: ocsf.user.ldap_person.labels + if: ctx.ocsf?.user?.ldap_person?.labels instanceof List + ignore_failure: true + processor: + append: + field: user.ldap_person.labels + tag: append_user_ldap_person_labels + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + - convert: + field: ocsf.user.ldap_person.location.is_on_premises + tag: convert_user_ldap_person_location_is_on_premises_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: ocsf.user.ldap_person.location.is_on_premises + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' on_failure: - append: field: error.message diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields-flattened.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields-flattened.yml new file mode 100644 index 000000000000..03904b41c3a0 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields-flattened.yml @@ -0,0 +1,1638 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. diff --git a/packages/amazon_security_lake/data_stream/event/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml index c034c1b6dbbd..ce287c5392ef 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml @@ -14,7 +14,6 @@ - name: event.dataset type: constant_keyword description: Event dataset. - value: amazon_security_lake.event - name: '@timestamp' type: date description: Event timestamp. diff --git a/packages/amazon_security_lake/data_stream/event/fields/beats.yml b/packages/amazon_security_lake/data_stream/event/fields/beats.yml index 4084f1dc7f51..e2a02e078e81 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/beats.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/beats.yml @@ -1,6 +1,12 @@ -- name: input.type +- description: Type of Filebeat input. + name: input.type type: keyword - description: Type of filebeat input. -- name: log.offset +- description: Flags for the log file. + name: log.flags + type: keyword +- description: Offset of the entry in the log file. + name: log.offset type: long - description: Log offset. +- description: Log message optimized for viewing in a log viewer. + name: event.message + type: text diff --git a/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 670974d5c4bc..bfa26366a867 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -10,3669 +10,945 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor + - name: action_id + type: integer + description: The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. + - name: action + type: keyword + description: The normalized caption of action_id. + - name: actual_permissions + type: long + description: The permissions that were granted to the in a platform-native format. + - name: analytic type: group fields: - - name: authorizations + - name: category + type: keyword + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: related_analytics type: group fields: - - name: decision + - name: category type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: related_analytics + type: flattened + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: 'The analytic version. For example: 1.1.' + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: 'The analytic version. For example: 1.1.' + - name: answers + type: group + fields: + - name: class + type: keyword + description: 'The class of DNS data contained in this resource record. See RFC1035. For example: IN.' + - name: flag_ids + type: keyword + description: The list of DNS answer header flag IDs. + - name: flags + type: keyword + description: The list of DNS answer header flags. + - name: packet_uid + type: keyword + description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + - name: rdata + type: keyword + description: The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. + - name: ttl + type: long + description: The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. + - name: type + type: keyword + description: 'The type of data contained in this resource record. See RFC1035. For example: CNAME.' + - name: app + type: group + fields: + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The CIS benchmark name. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: path + type: keyword + description: The installation path of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: The version of the product, as defined by the event source. + - name: app_name + type: keyword + description: The name of the application that is associated with the event or object. + - name: attacks + type: group + fields: + - name: tactics type: group fields: - name: name type: keyword - description: The name of the identity provider. + description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. - name: uid type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process + description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: technique type: group fields: - - name: auid + - name: name type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line + description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' + - name: uid + type: keyword + description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' + - name: version + type: keyword + description: The ATT&CK Matrix version. + - name: attempt + type: long + description: The attempt number for attempting to deliver the email. + - name: auth_protocol + type: keyword + description: The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. + - name: auth_protocol_id + type: keyword + description: The normalized identifier of the authentication protocol used to create the user session. + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container + description: The description of the policy. + - name: group type: group fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver + - name: domain type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid + description: The group description. + - name: name type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime + description: The group name. + - name: privileges type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag + description: The group privileges. + - name: type type: keyword - description: The tag used by the container. It can indicate version, format, OS. + description: The type of the group or account. - name: uid type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name type: keyword - description: The effective group under which this process is running. - - name: euid + description: 'The policy name. For example: IAM Policy.' + - name: uid type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: actual_permissions - type: long - description: The permissions that were granted to the in a platform-native format. - - name: analytic - type: group - fields: - - name: category - type: keyword - description: The analytic category. - - name: desc - type: keyword - description: The description of the analytic that generated the finding. - - name: name - type: keyword - description: The name of the analytic that generated the finding. - - name: related_analytics - type: group - fields: - - name: category - type: keyword - description: The analytic category. - - name: desc - type: keyword - description: The description of the analytic that generated the finding. - - name: name - type: keyword - description: The name of the analytic that generated the finding. - - name: related_analytics - type: flattened - - name: type - type: keyword - description: The analytic type. - - name: type_id - type: keyword - description: The analytic type ID. - - name: uid - type: keyword - description: The unique identifier of the analytic that generated the finding. - - name: version - type: keyword - description: 'The analytic version. For example: 1.1.' - - name: type - type: keyword - description: The analytic type. - - name: type_id - type: keyword - description: The analytic type ID. - - name: uid - type: keyword - description: The unique identifier of the analytic that generated the finding. - - name: version - type: keyword - description: 'The analytic version. For example: 1.1.' - - name: answers - type: group - fields: - - name: class - type: keyword - description: 'The class of DNS data contained in this resource record. See RFC1035. For example: IN.' - - name: flag_ids - type: keyword - description: The list of DNS answer header flag IDs. - - name: flags - type: keyword - description: The list of DNS answer header flags. - - name: packet_uid - type: keyword - description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - - name: rdata - type: keyword - description: The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. - - name: ttl - type: long - description: The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. - - name: type - type: keyword - description: 'The type of data contained in this resource record. See RFC1035. For example: CNAME.' - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - - name: app - type: group - fields: - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The CIS benchmark name. - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: The version of the product, as defined by the event source. - - name: app_name - type: keyword - description: The name of the application that is associated with the event or object. - - name: attacks - type: group - fields: - - name: tactics - type: group - fields: - - name: name - type: keyword - description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: uid - type: keyword - description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: technique - type: group - fields: - - name: name - type: keyword - description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' - - name: uid - type: keyword - description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' - - name: version - type: keyword - description: The ATT&CK Matrix version. - - name: attempt - type: long - description: The attempt number for attempting to deliver the email. - - name: auth_protocol - type: keyword - description: The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. - - name: auth_protocol_id - type: keyword - description: The normalized identifier of the authentication protocol used to create the user session. - - name: banner - type: keyword - description: The initial SMTP connection response that a messaging server receives after it connects to a email server. - - name: base_address - type: keyword - description: The memory address that was access or requested. - - name: capabilities - type: keyword - description: A list of RDP capabilities. - - name: category_name - type: keyword - description: 'The event category name, as defined by category_uid value: Identity & Access Management.' - - name: category_uid - type: keyword - description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: certificate_chain - type: keyword - description: The list of observed certificates in an RDP TLS connection. - - name: cis_benchmark_result - type: group - fields: - - name: desc - type: keyword - description: The CIS benchmark description. - - name: name - type: keyword - description: The CIS benchmark name. - - name: remediation - type: group - fields: - - name: desc - type: keyword - description: The description of the remediation strategy. - - name: kb_articles - type: keyword - description: The KB article/s related to the entity. - - name: rule - type: group - fields: - - name: category - type: keyword - description: The rule category. - - name: desc - type: keyword - description: The description of the rule that generated the event. - - name: name - type: keyword - description: The name of the rule that generated the event. - - name: type - type: keyword - description: The rule type. - - name: uid - type: keyword - description: The unique identifier of the rule that generated the event. - - name: version - type: keyword - description: The rule version. - - name: cis_csc - type: group - fields: - - name: control - type: keyword - description: The CIS critical security control. - - name: version - type: keyword - description: The CIS critical security control version. - - name: class_name - type: keyword - description: 'The event class name, as defined by class_uid value: Security Finding.' - - name: class_uid - type: keyword - description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. - - name: client_dialects - type: keyword - description: The list of SMB dialects that the client speaks. - - name: client_hassh - type: group - fields: - - name: algorithm - type: keyword - description: "The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation." - - name: fingerprint - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: cloud - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: project_uid - type: keyword - description: The unique identifier of a Cloud project. - - name: provider - type: keyword - description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. - - name: region - type: keyword - description: The name of the cloud region, as defined by the cloud provider. - - name: zone - type: keyword - description: The availability zone in the cloud region, as defined by the cloud provider. - - name: codes - type: long - description: The list of return codes to the FTP command. - - name: command - type: keyword - description: The command name. - - name: command_responses - type: keyword - description: The list of responses to the FTP command. - - name: compliance - type: group - fields: - - name: status_detail - type: keyword - description: The status details contains additional information about the event outcome. - - name: requirements - type: keyword - description: A list of applicable compliance requirements for which this finding is related to. - - name: status - type: keyword - description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. - - name: comment - type: keyword - description: The user provided comment about why the entity was changed. - - name: component - type: keyword - description: The name or relative pathname of a sub-component of the data object, if applicable. - - name: confidence - type: keyword - description: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. - - name: confidence_id - type: keyword - description: The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature. - - name: confidence_score - type: long - description: The confidence score as reported by the event source. - - name: connection_info - type: group - fields: - - name: boundary - type: keyword - description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. - - name: boundary_id - type: keyword - description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. - - name: direction - type: keyword - description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. - - name: direction_id - type: keyword - description: The normalized identifier of the direction of the initiated connection, traffic, or email. - - name: protocol_name - type: keyword - description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.' - - name: protocol_num - type: keyword - description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.' - - name: protocol_ver - type: keyword - description: The Internet Protocol version. - - name: protocol_ver_id - type: keyword - description: The Internet Protocol version identifier. - - name: tcp_flags - type: long - description: The network connection TCP header flags (i.e., control bits). - - name: uid - type: keyword - description: The unique identifier of the connection. - - name: connection_uid - type: keyword - description: The network connection identifier. - - name: count - type: long - description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: create_mask - type: keyword - description: The original Windows mask that is required to create the object. - - name: data_sources - type: keyword - description: The data sources for the finding. - - name: dce_rpc - type: group - fields: - - name: command - type: keyword - description: The request command (e.g. REQUEST, BIND). - - name: command_response - type: keyword - description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). - - name: flags - type: keyword - description: The list of interface flags. - - name: opnum - type: long - description: An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface. - - name: rpc_interface - type: group - fields: - - name: ack_reason - type: long - description: An integer that provides a reason code or additional information about the acknowledgment result. - - name: ack_result - type: long - description: An integer that denotes the acknowledgment result of the DCE/RPC call. - - name: uuid - type: keyword - description: The unique identifier of the particular remote procedure or service. - - name: version - type: keyword - description: The version of the DCE/RPC protocol being used in the session. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: subnet_prefix - type: long - description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: dialect - type: keyword - description: The negotiated protocol dialect. - - name: direction - type: keyword - description: The direction of the email, as defined by the direction_id value. - - name: direction_id - type: keyword - description: The direction of the email relative to the scanning host or organization. - - name: disposition - type: keyword - description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. - - name: disposition_id - type: keyword - description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. - - name: driver - type: group - fields: - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. + description: A unique identifier of the policy instance. - name: version type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: dst_endpoint + description: The policy version number. + - name: banner + type: keyword + description: The initial SMTP connection response that a messaging server receives after it connects to a email server. + - name: base_address + type: keyword + description: The memory address that was access or requested. + - name: capabilities + type: keyword + description: A list of RDP capabilities. + - name: category_name + type: keyword + description: 'The event category name, as defined by category_uid value: Identity & Access Management.' + - name: category_uid + type: keyword + description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. + - name: certificate type: group fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints type: group fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code + - name: algorithm type: keyword - description: The postal code of the location. - - name: provider + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id type: keyword - description: The provider of the geographical location data. - - name: region + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: duration - type: long - description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. - - name: email - type: group - fields: - - name: cc - type: keyword - description: The email header Cc values, as defined by RFC 5322. - - name: delivered_to - type: keyword - description: The Delivered-To email header field. - - name: from - type: keyword - description: The email header From values, as defined by RFC 5322. - - name: message_uid - type: keyword - description: The email header Message-Id value, as defined by RFC 5322. - - name: raw_header - type: keyword - description: The email authentication header. - - name: reply_to - type: keyword - description: The email header Reply-To values, as defined by RFC 5322. - - name: size - type: long - description: The size in bytes of the email, including attachments. - - name: smtp_from + description: The digital fingerprint value. + - name: issuer type: keyword - description: The value of the SMTP MAIL FROM command. - - name: smtp_to + description: The certificate issuer distinguished name. + - name: serial_number type: keyword - description: The value of the SMTP envelope RCPT TO command. + description: The serial number of the certificate used to create the digital signature. - name: subject type: keyword - description: The email header Subject value, as defined by RFC 5322. - - name: to - type: keyword - description: The email header To values, as defined by RFC 5322. - - name: uid - type: keyword - description: The email unique identifier. - - name: x_originating_ip - type: ip - description: The X-Originating-IP header identifying the emails originating IP address(es). - - name: email_auth - type: group - fields: - - name: dkim - type: keyword - description: The DomainKeys Identified Mail (DKIM) status of the email. - - name: dkim_domain - type: keyword - description: The DomainKeys Identified Mail (DKIM) signing domain of the email. - - name: dkim_signature - type: keyword - description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. - - name: dmarc - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. - - name: dmarc_override - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. - - name: dmarc_policy - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. - - name: spf - type: keyword - description: The Sender Policy Framework (SPF) status of the email. - - name: email_uid - type: keyword - description: The unique identifier of the email, used to correlate related email alert and activity events. - - name: end_time - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: end_time_dt - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: enrichments - type: group - fields: - - name: data - type: flattened - description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - - name: name - type: keyword - description: The name of the attribute to which the enriched data pertains. - - name: provider - type: keyword - description: The enrichment data provider name. - - name: type - type: keyword - description: The enrichment type. For example, location. - - name: value - type: keyword - description: The value of the attribute to which the enriched data pertains. - - name: entity - type: group - fields: - - name: data - type: flattened - description: The managed entity content as a JSON object. - - name: name - type: keyword - description: The name of the managed entity. - - name: type - type: keyword - description: The managed entity type. - - name: uid - type: keyword - description: The identifier of the managed entity. + description: The certificate subject distinguished name. - name: version type: keyword - description: The version of the managed entity. - - name: entity_result + description: The certificate version. + - name: certificate_chain + type: keyword + description: The list of observed certificates in an RDP TLS connection. + - name: cis_benchmark_result type: group fields: - - name: data - type: flattened - description: The managed entity content as a JSON object. - - name: name + - name: desc type: keyword - description: The name of the managed entity. - - name: type + description: The CIS benchmark description. + - name: name type: keyword - description: The managed entity type. - - name: uid + description: The CIS benchmark name. + - name: remediation + type: group + fields: + - name: desc + type: keyword + description: The description of the remediation strategy. + - name: kb_articles + type: keyword + description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. + - name: rule + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: desc + type: keyword + description: The description of the rule that generated the event. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. + - name: cis_csc + type: group + fields: + - name: control type: keyword - description: The identifier of the managed entity. + description: The CIS critical security control. - name: version type: keyword - description: The version of the managed entity. - - name: evidence - type: flattened - description: The data the finding exposes to the analyst. - - name: expiration_time - type: date - description: The share expiration time. - - name: expiration_time_dt - type: date - description: The share expiration time. - - name: exit_code + description: The CIS critical security control version. + - name: class_name type: keyword - description: The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. - - name: file + description: 'The event class name, as defined by class_uid value: Security Finding.' + - name: class_uid + type: keyword + description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. + - name: client_dialects + type: keyword + description: The list of SMB dialects that the client speaks. + - name: client_hassh type: group fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor + - name: algorithm + type: keyword + description: "The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation." + - name: fingerprint type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain + - name: algorithm type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id type: keyword - description: The user's email address. - - name: full_name + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + description: The digital fingerprint value. + - name: cloud + type: group + fields: + - name: account + type: group + fields: - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + description: The name of the account (e.g. GCP Account Name). - name: type type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id type: keyword - description: The account type identifier. + description: The normalized account type identifier. - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: The unique identifier of the account (e.g. AWS Account ID). + - name: org + type: group + fields: + - name: name type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: project_uid + type: keyword + description: The unique identifier of a Cloud project. + - name: provider + type: keyword + description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. + - name: region + type: keyword + description: The name of the cloud region, as defined by the cloud provider. + - name: zone + type: keyword + description: The availability zone in the cloud region, as defined by the cloud provider. + - name: codes + type: long + description: The list of return codes to the FTP command. + - name: command + type: keyword + description: The command name. + - name: command_responses + type: keyword + description: The list of responses to the FTP command. + - name: compliance + type: group + description: The compliance object provides context to compliance findings. + fields: + - name: control + type: keyword + description: A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls. + - name: requirements + type: keyword + description: A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10. + - name: standards + type: keyword + description: Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001. + - name: status + type: keyword + description: The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + - name: status_code + type: keyword + description: The resultant status code of the compliance check. + - name: status_detail + type: text + description: The contextual description of the status, status_code values. + - name: status_id + type: integer + description: The normalized status identifier of the compliance check. + - name: comment + type: keyword + description: The user provided comment about why the entity was changed. + - name: component + type: keyword + description: The name or relative pathname of a sub-component of the data object, if applicable. + - name: confidence + type: keyword + description: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. + - name: confidence_id + type: keyword + description: The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature. + - name: confidence_score + type: long + description: The confidence score as reported by the event source. + - name: connection_info + type: group + fields: + - name: boundary + type: keyword + description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: boundary_id + type: keyword + description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: direction + type: keyword + description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. + - name: direction_id + type: keyword + description: The normalized identifier of the direction of the initiated connection, traffic, or email. + - name: protocol_name + type: keyword + description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.' + - name: protocol_num + type: keyword + description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.' + - name: protocol_ver + type: keyword + description: The Internet Protocol version. + - name: protocol_ver_id + type: keyword + description: The Internet Protocol version identifier. + - name: tcp_flags type: long - description: The Bitmask value that represents the file attributes. - - name: company_name + description: The network connection TCP header flags (i.e., control bits). + - name: uid type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality + description: The unique identifier of the connection. + - name: connection_uid + type: keyword + description: The network connection identifier. + - name: count + type: long + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. + - name: create_mask + type: keyword + description: The original Windows mask that is required to create the object. + - name: data_sources + type: keyword + description: The data sources for the finding. + - name: database + type: flattened + description: The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data. + - name: databucket + type: flattened + description: The data bucket object is a basic container that holds data, typically organized through the use of data partitions. + - name: dce_rpc + type: group + fields: + - name: command type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id + description: The request command (e.g. REQUEST, BIND). + - name: command_response type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator + description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). + - name: flags + type: keyword + description: The list of interface flags. + - name: opnum + type: long + description: An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface. + - name: rpc_interface type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr + - name: ack_reason + type: long + description: An integer that provides a reason code or additional information about the acknowledgment result. + - name: ack_result + type: long + description: An integer that denotes the acknowledgment result of the DCE/RPC call. + - name: uuid type: keyword - description: The user's email address. - - name: full_name + description: The unique identifier of the particular remote procedure or service. + - name: version type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: The version of the DCE/RPC protocol being used in the session. + - name: dialect + type: keyword + description: The negotiated protocol dialect. + - name: direction + type: keyword + description: The direction of the email, as defined by the direction_id value. + - name: direction_id + type: keyword + description: The direction of the email relative to the scanning host or organization. + - name: disposition + type: keyword + description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. + - name: disposition_id + type: keyword + description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. + - name: driver + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor type: group fields: - - name: desc - type: keyword - description: The group description. - - name: name + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: The group name. - - name: privileges + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain type: keyword - description: The group privileges. - - name: type + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The type of the group or account. - - name: uid + description: The user's email address. + - name: full_name type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator type: group fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The name of the account (e.g. GCP Account Name). + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id type: keyword - description: The normalized account type identifier. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes type: group fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges + - name: algorithm type: keyword - description: The group privileges. - - name: type + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id type: keyword - description: The type of the group or account. - - name: uid + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type type: keyword - description: The username. For example, janedoe1. - - name: org + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier type: group fields: - - name: name + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid + description: The user's email address. + - name: full_name type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The name of the account (e.g. GCP Account Name). + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id type: keyword - description: The normalized account type identifier. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: 'The name of the file. For example: svchost.exe.' + - name: owner type: group fields: - - name: desc - type: keyword - description: The group description. - - name: name + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: The group name. - - name: privileges + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain type: keyword - description: The group privileges. - - name: type + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The type of the group or account. - - name: uid + description: The user's email address. + - name: full_name type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product type: group fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - name: name type: keyword - description: The name of the feature. + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. - name: uid type: keyword - description: The unique identifier of the feature. + description: The unique identifier of the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. - name: version type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate + description: The object security descriptor. + - name: signature type: group fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. - name: created_time type: date - description: The time when the certificate was created. + description: The time when the digital signature was created. - name: created_time_dt type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest type: group fields: - name: algorithm @@ -3684,57 +960,172 @@ - name: value type: keyword description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid + - name: size + type: long + description: The size of data, in bytes. + - name: type type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: duration + type: long + description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: email + type: group + fields: + - name: cc + type: keyword + description: The email header Cc values, as defined by RFC 5322. + - name: delivered_to + type: keyword + description: The Delivered-To email header field. + - name: from + type: keyword + description: The email header From values, as defined by RFC 5322. + - name: message_uid + type: keyword + description: The email header Message-Id value, as defined by RFC 5322. + - name: raw_header + type: keyword + description: The email authentication header. + - name: reply_to + type: keyword + description: The email header Reply-To values, as defined by RFC 5322. - name: size type: long - description: The size of data, in bytes. + description: The size in bytes of the email, including attachments. + - name: smtp_from + type: keyword + description: The value of the SMTP MAIL FROM command. + - name: smtp_to + type: keyword + description: The value of the SMTP envelope RCPT TO command. + - name: subject + type: keyword + description: The email header Subject value, as defined by RFC 5322. + - name: to + type: keyword + description: The email header To values, as defined by RFC 5322. + - name: uid + type: keyword + description: The email unique identifier. + - name: x_originating_ip + type: ip + description: The X-Originating-IP header identifying the emails originating IP address(es). + - name: email_auth + type: group + fields: + - name: dkim + type: keyword + description: The DomainKeys Identified Mail (DKIM) status of the email. + - name: dkim_domain + type: keyword + description: The DomainKeys Identified Mail (DKIM) signing domain of the email. + - name: dkim_signature + type: keyword + description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. + - name: dmarc + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. + - name: dmarc_override + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. + - name: dmarc_policy + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. + - name: spf + type: keyword + description: The Sender Policy Framework (SPF) status of the email. + - name: email_uid + type: keyword + description: The unique identifier of the email, used to correlate related email alert and activity events. + - name: end_time + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: end_time_dt + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: enrichments + type: group + fields: + - name: data + type: flattened + ignore_malformed: true + description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. + - name: name + type: keyword + description: The name of the attribute to which the enriched data pertains. + - name: provider + type: keyword + description: The enrichment data provider name. - name: type type: keyword - description: The file type. - - name: type_id + description: The enrichment type. For example, location. + - name: value type: keyword - description: The file type ID. + description: The value of the attribute to which the enriched data pertains. + - name: entity + type: group + fields: + - name: data + type: flattened + description: The managed entity content as a JSON object. + - name: name + type: keyword + description: The name of the managed entity. + - name: type + type: keyword + description: The managed entity type. - name: uid type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. + description: The identifier of the managed entity. - name: version type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes + description: The version of the managed entity. + - name: entity_result + type: group + fields: + - name: data type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + description: The managed entity content as a JSON object. + - name: name + type: keyword + description: The name of the managed entity. + - name: type + type: keyword + description: The managed entity type. + - name: uid + type: keyword + description: The identifier of the managed entity. + - name: version + type: keyword + description: The version of the managed entity. + - name: evidence + type: flattened + description: The data the finding exposes to the analyst. + - name: evidences + type: flattened + description: Describes various evidence artifacts associated to the activity/activities that triggered a security detection. + - name: expiration_time + type: date + description: The share expiration time. + - name: expiration_time_dt + type: date + description: The share expiration time. + - name: exit_code + type: keyword + description: The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. - name: file_diff type: keyword description: File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values. @@ -4116,18 +1507,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -4293,6 +1677,12 @@ - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: src_url type: keyword description: The URL pointing to the source of the finding. @@ -4308,6 +1698,12 @@ - name: uid type: keyword description: The unique identifier of the reported finding. + - name: finding_info + type: flattened + description: Describes the supporting information about a generated finding. + - name: firewall_rule + type: flattened + description: The firewall rule that triggered the event. - name: group type: group fields: @@ -4449,6 +1845,46 @@ - name: is_renewal type: boolean description: The indication of whether this is a lease/session renewal event. + - name: kb_article_list + type: group + description: The KB Article object contains metadata that describes the patch or update. + fields: + - name: uid + type: keyword + description: The unique identifier for the kb article. + - name: bulletin + type: keyword + description: The kb article bulletin identifier. + - name: classification + type: keyword + description: The vendors classification of the kb article. + - name: created_time + type: long + description: The date the kb article was released by the vendor. + - name: created_time_dt + type: date + description: The date the kb article was released by the vendor. + - name: is_superseded + type: boolean + description: "The patch is superseded" + - name: severity + type: keyword + description: The severity of the kb article. + - name: size + type: long + description: The size in bytes for the kb article. + - name: src_url + type: keyword + description: The kb article link from the source vendor. + - name: title + type: keyword + description: The title of the kb article. + - name: os + type: flattened + description: The operating system the kb article applies. + - name: product + type: flattened + description: The product details the kb article applies. - name: kernel type: group fields: @@ -4482,6 +1918,9 @@ - name: lease_dur type: long description: This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1) + - name: load_balancer + type: flattened + description: The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations. - name: logon_type type: keyword description: The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. @@ -4551,18 +1990,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. @@ -4605,108 +2037,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: module type: group fields: @@ -4773,21 +2103,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4869,21 +2188,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4974,21 +2282,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5055,21 +2352,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5091,18 +2377,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -5268,93 +2547,30 @@ - name: port type: long description: The dynamic port established for impending data transfers. + - name: precision + type: integer + description: The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. - name: privileges type: keyword description: The list of sensitive privileges, assigned to the new user session. - name: protocol_ver type: keyword description: The Protocol version. - - name: proxy - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). + - name: proxy_connection_info + type: flattened + description: The connection information from the proxy server to the remote server. + - name: proxy_http_request + type: flattened + description: The HTTP Request from the proxy server to the remote server. + - name: proxy_http_response + type: flattened + description: The HTTP Response from the remote server to the proxy server. + - name: proxy_tls + type: flattened + description: The TLS protocol negotiated between the proxy server and the remote server. + - name: proxy_traffic + type: flattened + description: The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time. - name: query type: group fields: @@ -5376,6 +2592,9 @@ - name: type type: keyword description: 'The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS.' + - name: query_info + type: flattened + description: The query info object holds information related to data access within a datastore. - name: query_time type: date description: The Domain Name System (DNS) query time. @@ -5386,7 +2605,8 @@ type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword + type: match_only_text + description: The event data as received from the event source. - name: rcode type: keyword description: The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source. @@ -5423,288 +2643,51 @@ - name: uid type: keyword description: The unique identifier for the network interface. - - name: remote_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: request - type: group - fields: - - name: flags - type: date - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: requested_permissions - type: long - description: The permissions mask that were requested by the process. - - name: resource + - name: remediation type: group fields: - - name: cloud_partition + - name: desc type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality + description: The description of the remediation strategy. + - name: kb_articles type: keyword - description: The criticality of the resource as defined by the event source. - - name: data + description: The KB article/s related to the entity. + - name: kb_article_list type: flattened - description: Additional data describing the resource. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name - type: keyword - description: The name of the resource. - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region - type: keyword - description: The cloud region of the resource. - - name: type - type: keyword - description: The resource type as defined by the event source. - - name: uid - type: keyword - description: The unique identifier of the resource. - - name: version + description: A list of KB articles or patches related to an endpoint. + - name: references type: keyword - description: The version of the resource. For example 1.2.3. - - name: resources + description: A list of supporting URL/s, references that help describe the remediation strategy. + - name: remote_display type: group fields: - - name: cloud_partition - type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality - type: keyword - description: The criticality of the resource as defined by the event source. - - name: data - type: flattened - description: Additional data describing the resource. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name - type: keyword - description: The name of the resource. - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region - type: keyword - description: The cloud region of the resource. - - name: type - type: keyword - description: The resource type as defined by the event source. + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: request + type: group + fields: + - name: flags + type: date + description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - name: uid type: keyword - description: The unique identifier of the resource. - - name: version - type: keyword - description: The version of the resource. For example 1.2.3. + description: The unique request identifier. + - name: requested_permissions + type: long + description: The permissions mask that were requested by the process. - name: response type: group fields: @@ -5824,87 +2807,6 @@ - name: smtp_hello type: keyword description: The value of the SMTP HELO or EHLO command sent by the initiator (client). - - name: src_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -5929,6 +2831,12 @@ - name: status_id type: keyword description: The normalized identifier of the event status. + - name: stratum_id + type: integer + description: The normalized identifier of the stratum level, as defined in RFC-5905. + - name: stratum + type: keyword + description: The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value. - name: time type: date description: The normalized event occurrence time. @@ -6052,6 +2960,9 @@ - name: version type: keyword description: The TLS protocol version. + - name: table + type: flattened + description: The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried. - name: traffic type: group fields: @@ -6081,7 +2992,10 @@ description: The tree id is a unique SMB identifier which represents an open connection to a share. - name: type type: keyword - description: The type of FTP network connection (e.g. active, passive). + description: The type the event. + - name: type_id + type: keyword + description: The normalized event type identifier. - name: type_name type: keyword description: The event type name, as defined by the type_uid. @@ -6124,84 +3038,6 @@ - name: url_string type: keyword description: The URL string. See RFC 1738. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: user_result type: group fields: @@ -6280,147 +3116,9 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vulnerabilities - type: group - fields: - - name: cve - type: group - fields: - - name: created_time - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: created_time_dt - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: cvss - type: group - fields: - - name: base_score - type: double - description: 'The CVSS base score. For example: 9.1.' - - name: depth - type: keyword - description: The CVSS depth represents a depth of the equation used to calculate CVSS score. - - name: metrics - type: group - fields: - - name: name - type: keyword - description: The name of the metric. - - name: value - type: keyword - description: The value of the metric. - - name: overall_score - type: double - description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' - - name: severity - type: keyword - description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. - - name: vector_string - type: keyword - description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' - - name: version - type: keyword - description: 'The CVSS version. For example: 3.1.' - - name: cwe_uid - type: keyword - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - - name: cwe_url - type: keyword - description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' - - name: modified_time - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: modified_time_dt - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: type - type: keyword - description: The vulnerability type as selected from a large dropdown menu during CVE refinement. - - name: uid - type: keyword - description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' - - name: desc - type: keyword - description: The description of the vulnerability. - - name: fix_available - type: boolean - description: Indicates if a fix is available for the reported vulnerability. - - name: kb_articles - type: keyword - description: The KB article/s related to the entity. - - name: packages - type: group - fields: - - name: architecture - type: keyword - description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. - - name: epoch - type: long - description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. - - name: license - type: keyword - description: The software license applied to this package. - - name: name - type: keyword - description: The software package name. - - name: release - type: keyword - description: Release is the number of times a version of the software has been packaged. - - name: version - type: keyword - description: The software package version. - - name: references - type: keyword - description: Supporting reference URLs. - - name: related_vulnerabilities - type: keyword - description: List of vulnerabilities that are related to this vulnerability. - - name: severity - type: keyword - description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. - - name: title - type: keyword - description: The title of the vulnerability. - - name: vendor_name - type: keyword - description: The vendor who identified the vulnerability. + - name: version + type: keyword + description: The version number of the NTP protocol. - name: web_resources type: group fields: diff --git a/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml new file mode 100644 index 000000000000..f0d2fe6bc6b1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml @@ -0,0 +1,509 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml new file mode 100644 index 000000000000..55a1bbb690d6 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml @@ -0,0 +1,89 @@ +# The misc fields are used to store additional information about the event that does not fit into the other categories and spans across multiple event types. +# They have extended mappings in their respective data streams +- name: ocsf + type: group + fields: + # These fields are used to store misc information about a findings category event. + - name: assignee + type: flattened + description: The details of the user assigned to an Incident. + - name: assignee_group + type: flattened + description: The details of the group assigned to an Incident. + - name: desc + type: keyword + description: The short description of the incident. + - name: priority + type: keyword + description: The priority, normalized to the caption of the priority_id value. + - name: priority_id + type: integer + description: The priority, normalized to the ID of the priority_id value. + - name: src_url + type: keyword + description: A Url link used to access the original incident. + - name: verdict + type: keyword + description: The verdict assigned to an Incident finding. + - name: verdict_id + type: integer + description: The normalized verdict of an Incident. + # These fields are used to store misc information about a discovery category event. + - name: prev_security_states + type: group + description: The previous security states of the device. + fields: + - name: state + type: keyword + description: The security state, normalized to the caption of the state_id value. + - name: state_id + type: keyword + description: The security state of the managed entity. + - name: security_level + type: keyword + description: The current security level of the entity. + - name: security_level_id + type: integer + description: The current security level of the entity. + - name: security_states + type: group + description: The current security states of the device. + fields: + - name: state + type: keyword + description: The security state, normalized to the caption of the state_id value. + - name: state_id + type: keyword + description: The security state of the managed entity. + # These fields are used to store misc information about an application activity category event. + - name: command_uid + type: keyword + description: The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated. + - name: num_* + type: integer + description: The number fields for counting various item scan results. + - name: policy + type: flattened + description: The policy that was used to scan the device. + - name: scan + type: group + description: The Scan object describes characteristics of a proactive scan. + fields: + - name: name + type: keyword + description: The administrator-supplied or application-generated name of the scan. + - name: type + type: keyword + description: The type of scan. + - name: type_id + type: keyword + description: The type id of the scan. + - name: uid + type: keyword + description: The application-defined unique identifier assigned to an instance of a scan. + - name: schedule_uid + type: keyword + description: The unique identifier of the schedule associated with a scan job. + - name: total + type: integer + description: The total number of items that were scanned; zero if no items were scanned. diff --git a/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..91fca432e6eb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml new file mode 100644 index 000000000000..898740ab4d10 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml @@ -0,0 +1,108 @@ +- name: ocsf + type: group + fields: + - name: proxy_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: port + type: long + description: The port used for communication within the network connection. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/event/fields/proxy-fields-deprecated.yml b/packages/amazon_security_lake/data_stream/event/fields/proxy-fields-deprecated.yml new file mode 100644 index 000000000000..11d1f9a9bdb8 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/proxy-fields-deprecated.yml @@ -0,0 +1,84 @@ +- name: ocsf + type: group + fields: + - name: proxy + type: group + fields: + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). diff --git a/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml new file mode 100644 index 000000000000..e3d9d54d6704 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml @@ -0,0 +1,141 @@ +- name: ocsf + type: group + fields: + - name: resources + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: type_id + type: keyword + description: The resource group type identifier. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: type_id + type: keyword + description: The resource type identifier. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml new file mode 100644 index 000000000000..904fd937ffa0 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml @@ -0,0 +1,254 @@ +- name: ocsf + type: group + fields: + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml new file mode 100644 index 000000000000..621cf5229443 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml @@ -0,0 +1,162 @@ +- name: ocsf + type: group + fields: + - name: vulnerabilities + type: group + fields: + - name: cve + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: 'The CVSS base score. For example: 9.1.' + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The name of the metric. + - name: value + type: keyword + description: The value of the metric. + - name: overall_score + type: double + description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. + - name: vector_string + type: keyword + description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' + - name: version + type: keyword + description: 'The CVSS version. For example: 3.1.' + - name: cwe + type: flattened + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. + - name: cwe_uid + type: keyword + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' + - name: cwe_url + type: keyword + description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' + - name: desc + type: keyword + description: The description of the vulnerability. + - name: epss + type: flattened + description: The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. + - name: fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' + - name: references + type: keyword + description: Supporting reference URLs. + - name: title + type: keyword + description: The title of the cve. + - name: kb_articles + type: keyword + description: The KB article/s related to the entity. + - name: cwe + type: group + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. + fields: + - name: caption + type: keyword + description: The caption assigned to the Common Weakness Enumeration unique identifier. + - name: src_url + type: keyword + description: URL pointing to the CWE Specification. + - name: uid + type: keyword + description: The Common Weakness Enumeration unique number assigned to a specific weakness. + - name: packages + type: group + fields: + - name: architecture + type: keyword + description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. + - name: epoch + type: long + description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. + - name: license + type: keyword + description: The software license applied to this package. + - name: name + type: keyword + description: The software package name. + - name: release + type: keyword + description: Release is the number of times a version of the software has been packaged. + - name: version + type: keyword + description: The software package version. + - name: references + type: keyword + description: Supporting reference URLs. + - name: related_vulnerabilities + type: keyword + description: List of vulnerabilities that are related to this vulnerability. + - name: severity + type: keyword + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. + - name: title + type: keyword + description: The title of the vulnerability. + - name: vendor_name + type: keyword + description: The vendor who identified the vulnerability. diff --git a/packages/amazon_security_lake/data_stream/event/manifest.yml b/packages/amazon_security_lake/data_stream/event/manifest.yml index 9187b7416155..3ae37f501ab3 100644 --- a/packages/amazon_security_lake/data_stream/event/manifest.yml +++ b/packages/amazon_security_lake/data_stream/event/manifest.yml @@ -122,12 +122,7 @@ streams: required: false show_user: false description: If the SQS queue will have events that correspond to files that this integration shouldn't process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - default: | - # Example: if you want to consume events that contain 'CloudTrail' in the S3 object key and apply parquet decoding to the events. - # - regex: '/CloudTrail/' - # decoding.codec.parquet.enabled: true - # decoding.codec.parquet.batch_size: 100 - # decoding.codec.parquet.process_parallel: true + default: "# Example: if you want to consume events that contain 'CloudTrail' in the S3 object key and apply parquet decoding to the events.\n# - regex: '/CloudTrail/'\n# decoding.codec.parquet.enabled: true\n# decoding.codec.parquet.batch_size: 100\n# decoding.codec.parquet.process_parallel: true \n" - name: region type: text title: "[SQS] Region" @@ -268,3 +263,6 @@ streams: elasticsearch: dynamic_dataset: true dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/event/sample_event.json b/packages/amazon_security_lake/data_stream/event/sample_event.json new file mode 100644 index 000000000000..7c2bf8e23805 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/sample_event.json @@ -0,0 +1,160 @@ +{ + "@timestamp": "2023-09-21T06:27:59.358Z", + "agent": { + "ephemeral_id": "997d41db-2945-4b29-a606-62cf3d2208ae", + "id": "d68b8849-ddc7-453c-b14c-d770658c905e", + "name": "elastic-agent-83792", + "type": "filebeat", + "version": "8.14.3" + }, + "cloud": { + "account": { + "id": "65194d7c-584c-11ee-8857-0242ac110005" + }, + "provider": "infrared delayed visiting", + "region": "initial lucia designer" + }, + "data_stream": { + "dataset": "amazon_security_lake.event", + "namespace": "86127", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "d68b8849-ddc7-453c-b14c-d770658c905e", + "snapshot": false, + "version": "8.14.3" + }, + "event": { + "action": "look", + "agent_id_status": "verified", + "category": [ + "package" + ], + "dataset": "amazon_security_lake.event", + "ingested": "2024-08-13T19:04:14Z", + "kind": "event", + "outcome": "success", + "provider": "jurisdiction protecting witness", + "severity": 6, + "start": "2023-09-21T06:59:23.200Z", + "type": [ + "info" + ] + }, + "host": { + "domain": "allied had insulation", + "hostname": "zinc.biz", + "id": "651987a6-584c-11ee-ad31-0242ac110005", + "ip": [ + "81.2.69.142" + ], + "name": "knows col covered", + "type": "Unknown" + }, + "input": { + "type": "aws-s3" + }, + "log": { + "file": { + "path": "https://security-lake-logs-bucket-19310.s3.us-east-1.amazonaws.com/application/application_lifecycle.parquet" + }, + "offset": 0 + }, + "message": "issues kings loop", + "ocsf": { + "activity_id": "99", + "activity_name": "look", + "app": { + "feature": { + "name": "mit received implemented", + "uid": "6519aa4c-584c-11ee-ac40-0242ac110005", + "version": "1.0.0" + }, + "lang": "en", + "name": "bottom loud knowledge", + "path": "path o f", + "uid": "6519a3da-584c-11ee-8c89-0242ac110005", + "vendor_name": "ss keeping administered", + "version": "1.0.0" + }, + "category_name": "Application Activity", + "category_uid": "6", + "class_name": "Application Lifecycle", + "class_uid": "6002", + "cloud": { + "account": { + "type": "AWS Account", + "type_id": "10" + }, + "org": { + "name": "exclusive variables tag", + "ou_name": "custom packard pierre", + "uid": "65193f12-584c-11ee-ae9b-0242ac110005" + } + }, + "device": { + "created_time": "2023-09-21T06:27:59.358Z", + "hw_info": { + "ram_size": 84, + "serial_number": "training blink executives" + }, + "instance_uid": "65197efa-584c-11ee-bc04-0242ac110005", + "interface_name": "lightbox bugs spain", + "interface_uid": "6519835a-584c-11ee-b813-0242ac110005", + "is_personal": false, + "org": { + "name": "chaos winner entered", + "ou_name": "music client leaf", + "uid": "65197a86-584c-11ee-96c1-0242ac110005" + }, + "region": "casio paris norway", + "subnet_uid": "6519725c-584c-11ee-b6a2-0242ac110005", + "type_id": "0", + "uid_alt": "older audience trends" + }, + "metadata": { + "log_name": "collaboration blood loan", + "modified_time_dt": "2023-09-21T06:59:23.198Z", + "original_time": "effectively dimensional reservation", + "product": { + "lang": "en", + "name": "enzyme cookie citations", + "uid": "65195f88-584c-11ee-8118-0242ac110005", + "url_string": "deck", + "vendor_name": "rochester school force", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host" + ], + "version": "1.0.0" + }, + "severity": "Fatal", + "start_time_dt": "2023-09-21T06:59:23.200Z", + "status": "Success", + "status_detail": "rat forth dishes", + "status_id": "1", + "type_name": "Application Lifecycle: Other", + "type_uid": "600299" + }, + "related": { + "hosts": [ + "allied had insulation", + "zinc.biz", + "knows col covered" + ], + "ip": [ + "81.2.69.142" + ] + }, + "tags": [ + "forwarded", + "amazon_security_lake-event" + ] +} \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml new file mode 100644 index 000000000000..74d4ea4ae382 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml @@ -0,0 +1,254 @@ +- name: ocsf + type: group + fields: + - name: assignee + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index 2b6a3f72f7a0..cde591e75479 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -57,57 +57,28 @@ - name: version type: keyword description: 'The analytic version. For example: 1.1.' - - name: api + - name: assignee_group type: group + description: The details of the group assigned to an Incident. fields: - - name: operation + - name: desc + type: text + description: The group description. + - name: domain type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges type: keyword - description: The version of the API service. + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: attacks type: group fields: @@ -200,16 +171,29 @@ description: The availability zone in the cloud region, as defined by the cloud provider. - name: compliance type: group + description: The compliance object provides context to compliance findings. fields: - - name: status_detail + - name: control type: keyword - description: The status details contains additional information about the event outcome. + description: A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls. - name: requirements type: keyword - description: A list of applicable compliance requirements for which this finding is related to. + description: A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10. + - name: standards + type: keyword + description: Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001. - name: status type: keyword - description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + description: The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + - name: status_code + type: keyword + description: The resultant status code of the compliance check. + - name: status_detail + type: text + description: The contextual description of the status, status_code values. + - name: status_id + type: integer + description: The normalized status identifier of the compliance check. - name: confidence type: keyword description: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. @@ -225,6 +209,9 @@ - name: data_sources type: keyword description: The data sources for the finding. + - name: desc + type: keyword + description: The short description of the incident. - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -239,6 +226,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword @@ -255,6 +243,9 @@ - name: evidence type: flattened description: The data the finding exposes to the analyst. + - name: evidences + type: flattened + description: Describes various evidence artifacts associated to the activity/activities that triggered a security detection. - name: finding type: group fields: @@ -312,6 +303,12 @@ - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: src_url type: keyword description: The URL pointing to the source of the finding. @@ -327,6 +324,46 @@ - name: uid type: keyword description: The unique identifier of the reported finding. + - name: firewall_rule + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. For example, 1.1. - name: impact type: keyword description: The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source. @@ -408,18 +445,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. @@ -462,108 +492,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: nist type: keyword description: The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. @@ -597,1631 +525,33 @@ - name: value type: keyword description: The value associated with the observable attribute. - - name: process + - name: priority + type: keyword + description: The priority, normalized to the caption of the priority_id value. + - name: priority_id + type: integer + description: The priority, normalized to the ID of the priority_id value. + - name: remediation type: group fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line + - name: desc type: keyword - description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid + description: The description of the remediation strategy. + - name: kb_articles type: keyword - description: The effective group under which this process is running. - - name: euid + description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The short name of the endpoint. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The name of the network interface (e.g. eth2). - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The short name of the endpoint. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The name of the network interface (e.g. eth2). - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: raw_data type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword - - name: resources - type: group - fields: - - name: cloud_partition - type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality - type: keyword - description: The criticality of the resource as defined by the event source. - - name: data - type: flattened - description: Additional data describing the resource. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name - type: keyword - description: The name of the resource. - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region - type: keyword - description: The cloud region of the resource. - - name: type - type: keyword - description: The resource type as defined by the event source. - - name: uid - type: keyword - description: The unique identifier of the resource. - - name: version - type: keyword - description: The version of the resource. For example 1.2.3. + type: match_only_text + description: The raw event data keyword as received from the event source. - name: risk_level type: keyword description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. @@ -2237,6 +567,9 @@ - name: severity_id type: long description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. + - name: src_url + type: keyword + description: A Url link used to access the original incident. - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -2279,144 +612,9 @@ - name: unmapped type: flattened description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. - - name: vulnerabilities - type: group - fields: - - name: cve - type: group - fields: - - name: created_time - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: created_time_dt - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: cvss - type: group - fields: - - name: base_score - type: double - description: 'The CVSS base score. For example: 9.1.' - - name: depth - type: keyword - description: The CVSS depth represents a depth of the equation used to calculate CVSS score. - - name: metrics - type: group - fields: - - name: name - type: keyword - description: The name of the metric. - - name: value - type: keyword - description: The value of the metric. - - name: overall_score - type: double - description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' - - name: severity - type: keyword - description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. - - name: vector_string - type: keyword - description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' - - name: version - type: keyword - description: 'The CVSS version. For example: 3.1.' - - name: cwe_uid - type: keyword - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - - name: cwe_url - type: keyword - description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' - - name: modified_time - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: modified_time_dt - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: type - type: keyword - description: The vulnerability type as selected from a large dropdown menu during CVE refinement. - - name: uid - type: keyword - description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' - - name: desc - type: keyword - description: The description of the vulnerability. - - name: fix_available - type: boolean - description: Indicates if a fix is available for the reported vulnerability. - - name: kb_articles - type: keyword - description: The KB article/s related to the entity. - - name: packages - type: group - fields: - - name: architecture - type: keyword - description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. - - name: epoch - type: long - description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. - - name: license - type: keyword - description: The software license applied to this package. - - name: name - type: keyword - description: The software package name. - - name: release - type: keyword - description: Release is the number of times a version of the software has been packaged. - - name: version - type: keyword - description: The software package version. - - name: references - type: keyword - description: Supporting reference URLs. - - name: related_vulnerabilities - type: keyword - description: List of vulnerabilities that are related to this vulnerability. - - name: severity - type: keyword - description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. - - name: title - type: keyword - description: The title of the vulnerability. - - name: vendor_name - type: keyword - description: The vendor who identified the vulnerability. + - name: verdict + type: keyword + description: The verdict assigned to an Incident finding. + - name: verdict_id + type: integer + description: The normalized verdict of an Incident. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml new file mode 100644 index 000000000000..3349999ea2bc --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml @@ -0,0 +1,137 @@ +- name: ocsf + type: group + fields: + - name: finding_info + type: group + description: Describes the supporting information about a generated finding. + fields: + - name: uid + type: keyword + description: The unique identifier of the reported finding. + - name: title + type: text + description: A title or a brief phrase summarizing the reported finding. + - name: desc + type: text + description: The description of the reported finding. + - name: created_time + type: long + description: The time when the finding was created. + - name: created_time_dt + type: date + description: The time (date) when the finding was created. + - name: first_seen_time + type: long + description: The time when the finding was first observed. + - name: first_seen_time_dt + type: date + description: The time (date) when the finding was first observed. + - name: last_seen_time + type: long + description: The time when the finding was most recently observed. + - name: last_seen_time_dt + type: date + description: The time (date) when the finding was most recently observed. + - name: modified_time + type: long + description: The time when the finding was last modified. + - name: modified_time_dt + type: date + description: The time (date) when the finding was last modified. + - name: src_url + type: keyword + description: The URL pointing to the source of the finding. + - name: product_uid + type: keyword + description: The unique identifier of the product that reported the finding. + - name: types + type: keyword + description: One or more types of the reported finding. + - name: data_sources + type: keyword + description: A list of data sources utilized in generation of the finding. + - name: analytic + type: group + description: The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion. + fields: + - name: category + type: keyword + description: The analytic category. + - name: desc + type: text + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: related_analytics + type: flattened + description: Other analytics related to this analytic. + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: The analytic version. For example, 1.1. + - name: attacks + type: group + description: MITRE ATT&CK Details. + fields: + - name: sub_technique + type: flattened + description: The Sub Technique object describes the sub technique ID and/or name associated to an attack. + - name: tactic + type: flattened + description: The Tactic object describes the tactic ID and/or name that is associated to an attack. + - name: tactics + type: flattened + description: The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique. + - name: technique + type: flattened + description: The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM. + - name: version + type: keyword + description: The ATT&CK MatrixTM version. + - name: kill_chain + type: group + description: The Cyber Kill Chain provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. + fields: + - name: phase + type: keyword + description: The cyber kill chain phase. + - name: phase_id + type: integer + description: The cyber kill chain phase identifier. + - name: related_analytics + type: flattened + description: Other analytics related to this finding. + - name: related_events + type: group + description: Describes events and/or other findings related to the finding as identified by the security product. + fields: + - name: attacks + type: flattened + description: MITRE ATT&CK Details. + - name: kill_chain + type: flattened + description: The Cyber Kill Chain provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. + - name: observables + type: flattened + description: The observables associated with the event or a finding. + - name: product_uid + type: keyword + description: The unique identifier of the product that reported the related event. + - name: type + type: keyword + description: The type of the related event. For example, Process Activity, Launch. + - name: type_uid + type: integer + description: The unique identifier of the related event type. For example, 100701. + - name: uid + type: keyword + description: The unique identifier of the related event. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml new file mode 100644 index 000000000000..9a2a81816026 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml @@ -0,0 +1,1388 @@ +- name: ocsf + type: group + fields: + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The short name of the endpoint. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The name of the network interface (e.g. eth2). + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The short name of the endpoint. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The name of the network interface (e.g. eth2). + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml new file mode 100644 index 000000000000..e3d9d54d6704 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml @@ -0,0 +1,141 @@ +- name: ocsf + type: group + fields: + - name: resources + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: type_id + type: keyword + description: The resource group type identifier. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: type_id + type: keyword + description: The resource type identifier. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml new file mode 100644 index 000000000000..621cf5229443 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml @@ -0,0 +1,162 @@ +- name: ocsf + type: group + fields: + - name: vulnerabilities + type: group + fields: + - name: cve + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: 'The CVSS base score. For example: 9.1.' + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The name of the metric. + - name: value + type: keyword + description: The value of the metric. + - name: overall_score + type: double + description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. + - name: vector_string + type: keyword + description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' + - name: version + type: keyword + description: 'The CVSS version. For example: 3.1.' + - name: cwe + type: flattened + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. + - name: cwe_uid + type: keyword + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' + - name: cwe_url + type: keyword + description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' + - name: desc + type: keyword + description: The description of the vulnerability. + - name: epss + type: flattened + description: The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. + - name: fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' + - name: references + type: keyword + description: Supporting reference URLs. + - name: title + type: keyword + description: The title of the cve. + - name: kb_articles + type: keyword + description: The KB article/s related to the entity. + - name: cwe + type: group + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. + fields: + - name: caption + type: keyword + description: The caption assigned to the Common Weakness Enumeration unique identifier. + - name: src_url + type: keyword + description: URL pointing to the CWE Specification. + - name: uid + type: keyword + description: The Common Weakness Enumeration unique number assigned to a specific weakness. + - name: packages + type: group + fields: + - name: architecture + type: keyword + description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. + - name: epoch + type: long + description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. + - name: license + type: keyword + description: The software license applied to this package. + - name: name + type: keyword + description: The software package name. + - name: release + type: keyword + description: Release is the number of times a version of the software has been packaged. + - name: version + type: keyword + description: The software package version. + - name: references + type: keyword + description: Supporting reference URLs. + - name: related_vulnerabilities + type: keyword + description: List of vulnerabilities that are related to this vulnerability. + - name: severity + type: keyword + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. + - name: title + type: keyword + description: The title of the vulnerability. + - name: vendor_name + type: keyword + description: The vendor who identified the vulnerability. diff --git a/packages/amazon_security_lake/data_stream/findings/manifest.yml b/packages/amazon_security_lake/data_stream/findings/manifest.yml index 38c95d073a94..6cc244e9afe4 100644 --- a/packages/amazon_security_lake/data_stream/findings/manifest.yml +++ b/packages/amazon_security_lake/data_stream/findings/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Findings Events dataset: amazon_security_lake.findings type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index ab245e5d92b0..604c94947a96 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -7,1713 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: auth_protocol type: keyword description: The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. @@ -1795,444 +88,33 @@ - name: name type: keyword description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: project_uid - type: keyword - description: The unique identifier of a Cloud project. - - name: provider - type: keyword - description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. - - name: region - type: keyword - description: The name of the cloud region, as defined by the cloud provider. - - name: zone - type: keyword - description: The availability zone in the cloud region, as defined by the cloud provider. - - name: comment - type: keyword - description: The user provided comment about why the entity was changed. - - name: count - type: long - description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: dst_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code + - name: ou_name type: keyword - description: The postal code of the location. - - name: provider + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid type: keyword - description: The provider of the geographical location data. - - name: region + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: project_uid type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid + description: The unique identifier of a Cloud project. + - name: provider type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid + description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. + - name: region type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid + description: The name of the cloud region, as defined by the cloud provider. + - name: zone type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). + description: The availability zone in the cloud region, as defined by the cloud provider. + - name: comment + type: keyword + description: The user provided comment about why the entity was changed. + - name: count + type: long + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -2247,6 +129,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword @@ -2530,21 +413,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2626,21 +498,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2731,21 +592,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2812,21 +662,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2848,18 +687,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -3142,21 +974,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3179,201 +1001,15 @@ type: keyword description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator type: group fields: - name: account @@ -3424,21 +1060,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3451,389 +1077,295 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path + - name: desc type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid + - name: algorithm type: keyword - description: The unique identifier of the product. - - name: vendor_name + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id type: keyword - description: The name of the vendor of the product. - - name: version + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type type: keyword - description: The object security descriptor. - - name: signature + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier type: group fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate + - name: account type: group fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version + - name: name type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm + description: The name of the account (e.g. GCP Account Name). + - name: type type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value + description: The normalized account type identifier. + - name: uid type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The name of the account (e.g. GCP Account Name). + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id type: keyword - description: The normalized account type identifier. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: 'The name of the file. For example: svchost.exe.' + - name: owner type: group fields: - - name: desc + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: The group description. - - name: name + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain type: keyword - description: The group name. - - name: privileges + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The group privileges. + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword - description: The type of the group or account. + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder type: keyword - description: The username. For example, janedoe1. - - name: org + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product type: group fields: - - name: name + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid + description: The name of the product. + - name: path type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + description: The installation path of the product. - name: uid type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name + description: The unique identifier of the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor type: keyword - description: The name of the account (e.g. GCP Account Name). + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. - name: type type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + description: The file type. - name: type_id type: keyword - description: The normalized account type identifier. + description: The file type ID. - name: uid type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group type: group fields: - name: desc @@ -3851,223 +1383,201 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type + - name: integrity type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id type: keyword - description: The account type identifier. - - name: uid + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: logon_type - type: keyword - description: The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. - - name: logon_type_id - type: keyword - description: The normalized logon type identifier - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: + description: The list of loaded module names. - name: name type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session type: group fields: - - name: name + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer type: keyword - description: The name of the feature. + description: The identifier of the session issuer. + - name: mfa + type: boolean - name: uid type: keyword - description: The unique identifier of the feature. - - name: version + description: The unique identifier of the session. + - name: uuid type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. - name: uid type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - - name: observables - type: group - fields: - - name: name - type: keyword - description: 'The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name.' - - name: reputation - type: group - fields: - - name: base_score - type: double - description: The reputation score as reported by the event source. - - name: provider - type: keyword - description: The provider of the reputation information. - - name: score - type: keyword - description: The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source. - - name: score_id - type: keyword - description: The normalized reputation score identifier. - - name: type - type: keyword - description: The observable value type name. - - name: type_id - type: keyword - description: The observable value type identifier. - - name: value - type: keyword - description: The value associated with the observable attribute. - - name: privileges - type: keyword - description: The list of sensitive privileges, assigned to the new user session. - - name: raw_data - type: flattened - description: The event data as received from the event source. - - name: resource - type: group - fields: - - name: cloud_partition - type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox type: keyword - description: The criticality of the resource as defined by the event source. - - name: data - type: flattened - description: Additional data describing the resource. - - name: group + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session type: group fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid type: keyword - description: The group privileges. - - name: type + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer type: keyword - description: The type of the group or account. + description: The identifier of the session issuer. + - name: mfa + type: boolean - name: uid type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid type: keyword - description: The name of the resource. - - name: owner + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user type: group fields: - name: account @@ -4145,18 +1655,57 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: logon_type + type: keyword + description: The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. + - name: logon_type_id + type: keyword + description: The normalized logon type identifier + - name: message + type: keyword + description: The description of the event, as defined by the event source. + - name: observables + type: group + fields: + - name: name type: keyword - description: The cloud region of the resource. + description: 'The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name.' + - name: reputation + type: group + fields: + - name: base_score + type: double + description: The reputation score as reported by the event source. + - name: provider + type: keyword + description: The provider of the reputation information. + - name: score + type: keyword + description: The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source. + - name: score_id + type: keyword + description: The normalized reputation score identifier. - name: type type: keyword - description: The resource type as defined by the event source. - - name: uid + description: The observable value type name. + - name: type_id type: keyword - description: The unique identifier of the resource. - - name: version + description: The observable value type identifier. + - name: value type: keyword - description: The version of the resource. For example 1.2.3. + description: The value associated with the observable attribute. + - name: privileges + type: keyword + description: The list of sensitive privileges, assigned to the new user session. + - name: raw_data + type: flattened + description: The event data as received from the event source. + - name: raw_data_keyword + type: match_only_text + description: The raw event data keyword as received from the event source. - name: service type: group fields: @@ -4210,87 +1759,6 @@ - name: severity_id type: long description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. - - name: src_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -4327,84 +1795,6 @@ - name: unmapped type: flattened description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: user_result type: group fields: diff --git a/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..91fca432e6eb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml new file mode 100644 index 000000000000..e3d9d54d6704 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml @@ -0,0 +1,141 @@ +- name: ocsf + type: group + fields: + - name: resources + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: type_id + type: keyword + description: The resource group type identifier. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: type_id + type: keyword + description: The resource type identifier. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml new file mode 100644 index 000000000000..904fd937ffa0 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml @@ -0,0 +1,254 @@ +- name: ocsf + type: group + fields: + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/iam/manifest.yml b/packages/amazon_security_lake/data_stream/iam/manifest.yml index 647d7100d49d..cab4af81f2d6 100644 --- a/packages/amazon_security_lake/data_stream/iam/manifest.yml +++ b/packages/amazon_security_lake/data_stream/iam/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Identity and Access Management Events dataset: amazon_security_lake.iam type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index 7dafaf441ca0..247eefdfaa72 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -7,2508 +7,57 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: answers - type: group - fields: - - name: class - type: keyword - description: 'The class of DNS data contained in this resource record. See RFC1035. For example: IN.' - - name: flag_ids - type: keyword - description: The list of DNS answer header flag IDs. - - name: flags - type: keyword - description: The list of DNS answer header flags. - - name: packet_uid - type: keyword - description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - - name: rdata - type: keyword - description: The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. - - name: ttl - type: long - description: The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. - - name: type - type: keyword - description: 'The type of data contained in this resource record. See RFC1035. For example: CNAME.' - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - - name: app_name - type: keyword - description: The name of the application that is associated with the event or object. - - name: attacks - type: group - fields: - - name: tactics - type: group - fields: - - name: name - type: keyword - description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: uid - type: keyword - description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: technique - type: group - fields: - - name: name - type: keyword - description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' - - name: uid - type: keyword - description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' - - name: version - type: keyword - description: The ATT&CK Matrix version. - - name: attempt - type: long - description: The attempt number for attempting to deliver the email. - - name: banner - type: keyword - description: The initial SMTP connection response that a messaging server receives after it connects to a email server. - - name: capabilities - type: keyword - description: A list of RDP capabilities. - - name: category_name - type: keyword - description: 'The event category name, as defined by category_uid value: Identity & Access Management.' - - name: category_uid - type: keyword - description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. - - name: certificate_chain - type: keyword - description: The list of observed certificates in an RDP TLS connection. - - name: class_name - type: keyword - description: 'The event class name, as defined by class_uid value: Security Finding.' - - name: class_uid - type: keyword - description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. - - name: client_dialects - type: keyword - description: The list of SMB dialects that the client speaks. - - name: client_hassh - type: group - fields: - - name: algorithm - type: keyword - description: "The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation." - - name: fingerprint - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: cloud - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: project_uid - type: keyword - description: The unique identifier of a Cloud project. - - name: provider - type: keyword - description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. - - name: region - type: keyword - description: The name of the cloud region, as defined by the cloud provider. - - name: zone - type: keyword - description: The availability zone in the cloud region, as defined by the cloud provider. - - name: codes - type: long - description: The list of return codes to the FTP command. - - name: command - type: keyword - description: The command name. - - name: command_responses - type: keyword - description: The list of responses to the FTP command. - - name: connection_info - type: group - fields: - - name: boundary - type: keyword - description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. - - name: boundary_id - type: keyword - description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. - - name: direction - type: keyword - description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. - - name: direction_id - type: keyword - description: The normalized identifier of the direction of the initiated connection, traffic, or email. - - name: protocol_name - type: keyword - description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.' - - name: protocol_num - type: keyword - description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.' - - name: protocol_ver - type: keyword - description: The Internet Protocol version. - - name: protocol_ver_id - type: keyword - description: The Internet Protocol version identifier. - - name: tcp_flags - type: long - description: The network connection TCP header flags (i.e., control bits). - - name: uid - type: keyword - description: The unique identifier of the connection. - - name: count - type: long - description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: dce_rpc - type: group - fields: - - name: command - type: keyword - description: The request command (e.g. REQUEST, BIND). - - name: command_response - type: keyword - description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). - - name: flags - type: keyword - description: The list of interface flags. - - name: opnum - type: long - description: An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface. - - name: rpc_interface - type: group - fields: - - name: ack_reason - type: long - description: An integer that provides a reason code or additional information about the acknowledgment result. - - name: ack_result - type: long - description: An integer that denotes the acknowledgment result of the DCE/RPC call. - - name: uuid - type: keyword - description: The unique identifier of the particular remote procedure or service. - - name: version - type: keyword - description: The version of the DCE/RPC protocol being used in the session. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: subnet_prefix - type: long - description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: dialect - type: keyword - description: The negotiated protocol dialect. - - name: direction - type: keyword - description: The direction of the email, as defined by the direction_id value. - - name: direction_id - type: keyword - description: The direction of the email relative to the scanning host or organization. - - name: disposition - type: keyword - description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. - - name: disposition_id - type: keyword - description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. - - name: dst_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: duration - type: long - description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. - - name: email + - name: action_id + type: integer + description: The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. + - name: action + type: keyword + description: The normalized caption of action_id. + - name: answers type: group fields: - - name: cc - type: keyword - description: The email header Cc values, as defined by RFC 5322. - - name: delivered_to + - name: class type: keyword - description: The Delivered-To email header field. - - name: from + description: 'The class of DNS data contained in this resource record. See RFC1035. For example: IN.' + - name: flag_ids type: keyword - description: The email header From values, as defined by RFC 5322. - - name: message_uid + description: The list of DNS answer header flag IDs. + - name: flags type: keyword - description: The email header Message-Id value, as defined by RFC 5322. - - name: raw_header + description: The list of DNS answer header flags. + - name: packet_uid type: keyword - description: The email authentication header. - - name: reply_to + description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + - name: rdata type: keyword - description: The email header Reply-To values, as defined by RFC 5322. - - name: size + description: The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. + - name: ttl type: long - description: The size in bytes of the email, including attachments. - - name: smtp_from - type: keyword - description: The value of the SMTP MAIL FROM command. - - name: smtp_to - type: keyword - description: The value of the SMTP envelope RCPT TO command. - - name: subject - type: keyword - description: The email header Subject value, as defined by RFC 5322. - - name: to - type: keyword - description: The email header To values, as defined by RFC 5322. - - name: uid - type: keyword - description: The email unique identifier. - - name: x_originating_ip - type: ip - description: The X-Originating-IP header identifying the emails originating IP address(es). - - name: email_auth - type: group - fields: - - name: dkim - type: keyword - description: The DomainKeys Identified Mail (DKIM) status of the email. - - name: dkim_domain - type: keyword - description: The DomainKeys Identified Mail (DKIM) signing domain of the email. - - name: dkim_signature - type: keyword - description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. - - name: dmarc - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. - - name: dmarc_override - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. - - name: dmarc_policy - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. - - name: spf + description: The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. + - name: type type: keyword - description: The Sender Policy Framework (SPF) status of the email. - - name: email_uid + description: 'The type of data contained in this resource record. See RFC1035. For example: CNAME.' + - name: app_name type: keyword - description: The unique identifier of the email, used to correlate related email alert and activity events. - - name: end_time - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: end_time_dt - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: enrichments + description: The name of the application that is associated with the event or object. + - name: authorizations type: group fields: - - name: data - type: flattened - description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - - name: name - type: keyword - description: The name of the attribute to which the enriched data pertains. - - name: provider + - name: decision type: keyword - description: The enrichment data provider name. - - name: type - type: keyword - description: The enrichment type. For example, location. - - name: value - type: keyword - description: The value of the attribute to which the enriched data pertains. - - name: expiration_time - type: date - description: The share expiration time. - - name: expiration_time_dt - type: date - description: The share expiration time. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name + - name: desc type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: The description of the policy. + - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -2526,134 +75,71 @@ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. + description: 'The policy name. For example: IAM Policy.' - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: A unique identifier of the policy instance. + - name: version type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator + description: The policy version number. + - name: attacks + type: group + fields: + - name: tactics type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type + description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: uid type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id + description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: technique + type: group + fields: + - name: name type: keyword - description: The account type identifier. + description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc + description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' + - name: version + type: keyword + description: The ATT&CK Matrix version. + - name: attempt + type: long + description: The attempt number for attempting to deliver the email. + - name: banner + type: keyword + description: The initial SMTP connection response that a messaging server receives after it connects to a email server. + - name: capabilities + type: keyword + description: A list of RDP capabilities. + - name: category_name + type: keyword + description: 'The event category name, as defined by category_uid value: Identity & Access Management.' + - name: category_uid + type: keyword + description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. + - name: certificate_chain + type: keyword + description: The list of observed certificates in an RDP TLS connection. + - name: class_name + type: keyword + description: 'The event class name, as defined by class_uid value: Security Finding.' + - name: class_uid + type: keyword + description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. + - name: client_dialects + type: keyword + description: The list of SMB dialects that the client speaks. + - name: client_hassh + type: group + fields: + - name: algorithm type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes + description: "The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation." + - name: fingerprint type: group fields: - name: algorithm @@ -2665,309 +151,284 @@ - name: value type: keyword description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier + - name: cloud + type: group + fields: + - name: account type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + description: The name of the account (e.g. GCP Account Name). - name: type type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id type: keyword - description: The account type identifier. + description: The normalized account type identifier. - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner + description: The unique identifier of the account (e.g. AWS Account ID). + - name: org type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type + description: The name of the organization. For example, Widget, Inc. + - name: ou_name type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid type: keyword - description: The account type identifier. + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: project_uid + type: keyword + description: The unique identifier of a Cloud project. + - name: provider + type: keyword + description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. + - name: region + type: keyword + description: The name of the cloud region, as defined by the cloud provider. + - name: zone + type: keyword + description: The availability zone in the cloud region, as defined by the cloud provider. + - name: codes + type: long + description: The list of return codes to the FTP command. + - name: command + type: keyword + description: The command name. + - name: command_responses + type: keyword + description: The list of responses to the FTP command. + - name: connection_info + type: group + fields: + - name: boundary + type: keyword + description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: boundary_id + type: keyword + description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: direction + type: keyword + description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. + - name: direction_id + type: keyword + description: The normalized identifier of the direction of the initiated connection, traffic, or email. + - name: protocol_name + type: keyword + description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.' + - name: protocol_num + type: keyword + description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.' + - name: protocol_ver + type: keyword + description: The Internet Protocol version. + - name: protocol_ver_id + type: keyword + description: The Internet Protocol version identifier. + - name: tcp_flags + type: long + description: The network connection TCP header flags (i.e., control bits). + - name: uid + type: keyword + description: The unique identifier of the connection. + - name: count + type: long + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. + - name: dce_rpc + type: group + fields: + - name: command + type: keyword + description: The request command (e.g. REQUEST, BIND). + - name: command_response + type: keyword + description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). + - name: flags + type: keyword + description: The list of interface flags. + - name: opnum + type: long + description: An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface. + - name: rpc_interface + type: group + fields: + - name: ack_reason + type: long + description: An integer that provides a reason code or additional information about the acknowledgment result. + - name: ack_result + type: long + description: An integer that denotes the acknowledgment result of the DCE/RPC call. + - name: uuid + type: keyword + description: The unique identifier of the particular remote procedure or service. + - name: version type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder + description: The version of the DCE/RPC protocol being used in the session. + - name: dialect + type: keyword + description: The negotiated protocol dialect. + - name: direction + type: keyword + description: The direction of the email, as defined by the direction_id value. + - name: direction_id + type: keyword + description: The direction of the email relative to the scanning host or organization. + - name: disposition + type: keyword + description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. + - name: disposition_id + type: keyword + description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. + - name: duration + type: long + description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: email + type: group + fields: + - name: cc + type: keyword + description: The email header Cc values, as defined by RFC 5322. + - name: delivered_to + type: keyword + description: The Delivered-To email header field. + - name: from + type: keyword + description: The email header From values, as defined by RFC 5322. + - name: message_uid + type: keyword + description: The email header Message-Id value, as defined by RFC 5322. + - name: raw_header + type: keyword + description: The email authentication header. + - name: reply_to + type: keyword + description: The email header Reply-To values, as defined by RFC 5322. + - name: size + type: long + description: The size in bytes of the email, including attachments. + - name: smtp_from + type: keyword + description: The value of the SMTP MAIL FROM command. + - name: smtp_to + type: keyword + description: The value of the SMTP envelope RCPT TO command. + - name: subject + type: keyword + description: The email header Subject value, as defined by RFC 5322. + - name: to + type: keyword + description: The email header To values, as defined by RFC 5322. + - name: uid + type: keyword + description: The email unique identifier. + - name: x_originating_ip + type: ip + description: The X-Originating-IP header identifying the emails originating IP address(es). + - name: email_auth + type: group + fields: + - name: dkim type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path + description: The DomainKeys Identified Mail (DKIM) status of the email. + - name: dkim_domain type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor + description: The DomainKeys Identified Mail (DKIM) signing domain of the email. + - name: dkim_signature type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. + description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. + - name: dmarc + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. + - name: dmarc_override + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. + - name: dmarc_policy + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. + - name: spf + type: keyword + description: The Sender Policy Framework (SPF) status of the email. + - name: email_uid + type: keyword + description: The unique identifier of the email, used to correlate related email alert and activity events. + - name: end_time + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: end_time_dt + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: enrichments + type: group + fields: + - name: data + type: flattened + ignore_malformed: true + description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. + - name: name + type: keyword + description: The name of the attribute to which the enriched data pertains. + - name: provider + type: keyword + description: The enrichment data provider name. - name: type type: keyword - description: The file type. - - name: type_id + description: The enrichment type. For example, location. + - name: value + type: keyword + description: The value of the attribute to which the enriched data pertains. + - name: expiration_time + type: date + description: The share expiration time. + - name: expiration_time_dt + type: date + description: The share expiration time. + - name: firewall_rule + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name type: keyword - description: The file type ID. + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. - name: uid type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. + description: The unique identifier of the rule that generated the event. - name: version type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + description: The rule version. For example, 1.1. - name: http_request type: group fields: @@ -3067,6 +528,9 @@ - name: lease_dur type: long description: This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1) + - name: load_balancer + type: flattened + description: The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations. - name: malware type: group fields: @@ -3130,18 +594,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. @@ -3184,108 +641,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: name type: keyword description: The name of the data affiliated with the command. @@ -3325,90 +680,27 @@ - name: port type: long description: The dynamic port established for impending data transfers. + - name: precision + type: integer + description: The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. - name: protocol_ver type: keyword description: The Protocol version. - - name: proxy - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). + - name: proxy_connection_info + type: flattened + description: The connection information from the proxy server to the remote server. + - name: proxy_http_request + type: flattened + description: The HTTP Request from the proxy server to the remote server. + - name: proxy_http_response + type: flattened + description: The HTTP Response from the remote server to the proxy server. + - name: proxy_tls + type: flattened + description: The TLS protocol negotiated between the proxy server and the remote server. + - name: proxy_traffic + type: flattened + description: The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time. - name: query type: group fields: @@ -3440,7 +732,8 @@ type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword + type: match_only_text + description: The raw event data keyword as received from the event source. - name: rcode type: keyword description: The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source. @@ -3564,87 +857,6 @@ - name: smtp_hello type: keyword description: The value of the SMTP HELO or EHLO command sent by the initiator (client). - - name: src_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -3663,6 +875,12 @@ - name: status_id type: keyword description: The normalized identifier of the event status. + - name: stratum_id + type: integer + description: The normalized identifier of the stratum level, as defined in RFC-5905. + - name: stratum + type: keyword + description: The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value. - name: time type: date description: The normalized event occurrence time. @@ -3858,3 +1076,6 @@ - name: url_string type: keyword description: The URL string. See RFC 1738. + - name: version + type: keyword + description: The version number of the NTP protocol. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml new file mode 100644 index 000000000000..f0d2fe6bc6b1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml @@ -0,0 +1,509 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..91fca432e6eb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml new file mode 100644 index 000000000000..898740ab4d10 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml @@ -0,0 +1,108 @@ +- name: ocsf + type: group + fields: + - name: proxy_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: port + type: long + description: The port used for communication within the network connection. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-fields-deprecated.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-fields-deprecated.yml new file mode 100644 index 000000000000..11d1f9a9bdb8 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-fields-deprecated.yml @@ -0,0 +1,84 @@ +- name: ocsf + type: group + fields: + - name: proxy + type: group + fields: + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). diff --git a/packages/amazon_security_lake/data_stream/network_activity/manifest.yml b/packages/amazon_security_lake/data_stream/network_activity/manifest.yml index b7d7b7e7600d..bc977e86cdd4 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/manifest.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Network Activity Events dataset: amazon_security_lake.network_activity type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index e45b7ecdf2e0..86d2c79e1692 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -10,22 +10,154 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor + - name: actual_permissions + type: long + description: The permissions that were granted to the in a platform-native format. + - name: attacks + type: group + fields: + - name: tactics + type: group + fields: + - name: name + type: keyword + description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: uid + type: keyword + description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: technique + type: group + fields: + - name: name + type: keyword + description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' + - name: uid + type: keyword + description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' + - name: version + type: keyword + description: The ATT&CK Matrix version. + - name: base_address + type: keyword + description: The memory address that was access or requested. + - name: category_name + type: keyword + description: 'The event category name, as defined by category_uid value: Identity & Access Management.' + - name: category_uid + type: keyword + description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. + - name: class_name + type: keyword + description: 'The event class name, as defined by class_uid value: Security Finding.' + - name: class_uid + type: keyword + description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. + - name: cloud type: group fields: - - name: authorizations + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: org type: group fields: - - name: decision + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: project_uid + type: keyword + description: The unique identifier of a Cloud project. + - name: provider + type: keyword + description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. + - name: region + type: keyword + description: The name of the cloud region, as defined by the cloud provider. + - name: zone + type: keyword + description: The availability zone in the cloud region, as defined by the cloud provider. + - name: component + type: keyword + description: The name or relative pathname of a sub-component of the data object, if applicable. + - name: connection_uid + type: keyword + description: The network connection identifier. + - name: count + type: long + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. + - name: create_mask + type: keyword + description: The original Windows mask that is required to create the object. + - name: disposition + type: keyword + description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. + - name: disposition_id + type: keyword + description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. + - name: driver + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor type: group fields: - - name: desc + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The description of the policy. - - name: group + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups type: group fields: - name: desc @@ -45,3092 +177,365 @@ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: 'The policy name. For example: IAM Policy.' + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. - name: uid type: keyword - description: A unique identifier of the policy instance. - - name: version + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator type: group fields: - - name: hash + - name: account type: group fields: - - name: algorithm + - name: name type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + description: The name of the account (e.g. GCP Account Name). + - name: type type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id type: keyword - description: The digital fingerprint value. - - name: image + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups type: group fields: - - name: labels + - name: desc type: keyword - description: The image labels. + description: The group description. - name: name type: keyword - description: The image name. - - name: path + description: The group name. + - name: privileges type: keyword - description: The full path to the image file. - - name: tag + description: The group privileges. + - name: type type: keyword - description: The tag used by the container. It can indicate version, format, OS. + description: The type of the group or account. - name: uid type: keyword - description: The unique image ID. + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime + description: The account type identifier. + - name: uid type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time type: date - description: The time when the process was created/started. - - name: created_time_dt + description: The time when the file was last modified. + - name: modified_time_dt type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file + description: The time when the file was last modified. + - name: modifier type: group fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor + - name: account type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + description: The name of the account (e.g. GCP Account Name). - name: type type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id type: keyword - description: The account type identifier. + description: The normalized account type identifier. - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid + - name: desc type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain + description: The group description. + - name: name type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr + description: The group name. + - name: privileges type: keyword - description: The user's email address. - - name: full_name + description: The group privileges. + - name: type type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: - name: name type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + description: The name of the account (e.g. GCP Account Name). - name: type type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id type: keyword - description: The account type identifier. + description: The normalized account type identifier. - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups type: group fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + - name: desc type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value + description: The group description. + - name: name type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: actual_permissions - type: long - description: The permissions that were granted to the in a platform-native format. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - - name: attacks - type: group - fields: - - name: tactics - type: group - fields: - - name: name - type: keyword - description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: uid - type: keyword - description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: technique - type: group - fields: - - name: name - type: keyword - description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' - - name: uid - type: keyword - description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' - - name: version - type: keyword - description: The ATT&CK Matrix version. - - name: base_address - type: keyword - description: The memory address that was access or requested. - - name: category_name - type: keyword - description: 'The event category name, as defined by category_uid value: Identity & Access Management.' - - name: category_uid - type: keyword - description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. - - name: class_name - type: keyword - description: 'The event class name, as defined by class_uid value: Security Finding.' - - name: class_uid - type: keyword - description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. - - name: cloud - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: project_uid - type: keyword - description: The unique identifier of a Cloud project. - - name: provider - type: keyword - description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. - - name: region - type: keyword - description: The name of the cloud region, as defined by the cloud provider. - - name: zone - type: keyword - description: The availability zone in the cloud region, as defined by the cloud provider. - - name: component - type: keyword - description: The name or relative pathname of a sub-component of the data object, if applicable. - - name: connection_uid - type: keyword - description: The network connection identifier. - - name: count - type: long - description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: create_mask - type: keyword - description: The original Windows mask that is required to create the object. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: subnet_prefix - type: long - description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: disposition - type: keyword - description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. - - name: disposition_id - type: keyword - description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. - - name: driver - type: group - fields: - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: duration - type: long - description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. - - name: end_time - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: end_time_dt - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: enrichments - type: group - fields: - - name: data - type: flattened - description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - - name: name - type: keyword - description: The name of the attribute to which the enriched data pertains. - - name: provider - type: keyword - description: The enrichment data provider name. - - name: type - type: keyword - description: The enrichment type. For example, location. - - name: value - type: keyword - description: The value of the attribute to which the enriched data pertains. - - name: exit_code - type: keyword - description: The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product type: group fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - name: name type: keyword - description: The name of the feature. + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. - name: uid type: keyword - description: The unique identifier of the feature. + description: The unique identifier of the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. - name: version type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate + description: The object security descriptor. + - name: signature type: group fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. - name: created_time type: date - description: The time when the certificate was created. + description: The time when the digital signature was created. - name: created_time_dt type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest type: group fields: - name: algorithm @@ -3142,57 +547,95 @@ - name: value type: keyword description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid + - name: size + type: long + description: The size of data, in bytes. + - name: type type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: duration + type: long + description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: end_time + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: end_time_dt + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: enrichments + type: group + fields: + - name: data + type: flattened + ignore_malformed: true + description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. + - name: name + type: keyword + description: The name of the attribute to which the enriched data pertains. + - name: provider + type: keyword + description: The enrichment data provider name. - name: type type: keyword - description: The file type. - - name: type_id + description: The enrichment type. For example, location. + - name: value + type: keyword + description: The value of the attribute to which the enriched data pertains. + - name: exit_code + type: keyword + description: The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. + - name: firewall_rule + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name type: keyword - description: The file type ID. + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. - name: uid type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. + description: The unique identifier of the rule that generated the event. - name: version type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + description: The rule version. For example, 1.1. - name: file_diff type: keyword description: File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values. @@ -3574,18 +1017,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -3775,21 +1211,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3871,21 +1296,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3976,21 +1390,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4057,21 +1460,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4093,18 +1485,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -4396,18 +1781,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. @@ -4450,108 +1828,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: module type: group fields: @@ -4618,21 +1894,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4714,21 +1979,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4819,21 +2073,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4900,21 +2143,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4936,18 +2168,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -5239,21 +2464,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5335,21 +2549,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5440,21 +2643,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5521,21 +2713,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5557,18 +2738,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -5854,21 +3028,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5950,21 +3114,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -6055,21 +3209,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -6136,21 +3280,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -6172,18 +3306,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -6436,21 +3563,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -6598,6 +3714,9 @@ - name: raw_data type: flattened description: The event data as received from the event source. + - name: raw_data_keyword + type: match_only_text + description: The raw event data keyword as received from the event source. - name: requested_permissions type: long description: The permissions mask that were requested by the process. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml new file mode 100644 index 000000000000..f0d2fe6bc6b1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml @@ -0,0 +1,509 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/system_activity/manifest.yml b/packages/amazon_security_lake/data_stream/system_activity/manifest.yml index 9ed929df109b..c6a2cf87a577 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/manifest.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake System Activity Events dataset: amazon_security_lake.system_activity type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index b956a9743b4a..f5ca56c338b8 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -10,7 +10,7 @@ The Amazon Security Lake integration can be used in two different modes to colle ## Compatibility -This module follows the latest OCSF Schema Version **v1.0.0**. +This module follows the OCSF Schema Version **v1.1.0**. ## Data streams @@ -19,6 +19,8 @@ The Amazon Security Lake integration collects logs from both [Third-party servic ### **NOTE**: - The Amazon Security Lake integration supports events collected from [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) and [third-party services](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html). +- Due to the nature and structure of the OCSF schema, this integration has limitations on how deep the mappings run. Some important objects like 'Actor', 'User' and 'Product' have more fleshed-out mappings compared to others which get flattened after the initial 2-3 levels of nesting to keep them maintainable and stay within field mapping [limits](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-settings-limit.html). This will evolve as needed. + ## Requirements - Elastic Agent must be installed. @@ -88,15 +90,20 @@ This is the `Event` dataset. | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | event.dataset | Event dataset. | constant_keyword | +| event.message | Log message optimized for viewing in a log viewer. | text | | event.module | Event module. | constant_keyword | -| input.type | Type of filebeat input. | keyword | -| log.offset | Log offset. | long | +| input.type | Type of Filebeat input. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | | ocsf.access_mask | The access mask in a platform-native format. | long | +| ocsf.action | The normalized caption of action_id. | keyword | +| ocsf.action_id | The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. | integer | | ocsf.activity_id | The normalized identifier of the activity that triggered the event. | keyword | | ocsf.activity_name | The event activity name, as defined by the activity_id. | keyword | | ocsf.actor.authorizations.decision | Authorization Result/outcome, e.g. allowed, denied. | keyword | | ocsf.actor.authorizations.policy.desc | The description of the policy. | keyword | | ocsf.actor.authorizations.policy.group.desc | The group description. | keyword | +| ocsf.actor.authorizations.policy.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.authorizations.policy.group.name | The group name. | keyword | | ocsf.actor.authorizations.policy.group.privileges | The group privileges. | keyword | | ocsf.actor.authorizations.policy.group.type | The type of the group or account. | keyword | @@ -140,15 +147,14 @@ This is the `Event` dataset. | ocsf.actor.process.file.accessor.email_addr | The user's email address. | keyword | | ocsf.actor.process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.file.accessor.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.accessor.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.accessor.groups.name | The group name. | keyword | | ocsf.actor.process.file.accessor.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.accessor.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.accessor.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.accessor.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -156,7 +162,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.attributes | The Bitmask value that represents the file attributes. | long | | ocsf.actor.process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword | | ocsf.actor.process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword | +| ocsf.actor.process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | integer | | ocsf.actor.process.file.created_time | The time when the file was created. | date | | ocsf.actor.process.file.created_time_dt | The time when the file was created. | date | | ocsf.actor.process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword | @@ -168,15 +174,14 @@ This is the `Event` dataset. | ocsf.actor.process.file.creator.email_addr | The user's email address. | keyword | | ocsf.actor.process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.file.creator.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.creator.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.creator.groups.name | The group name. | keyword | | ocsf.actor.process.file.creator.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.creator.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.creator.name | The name of the city. | keyword | -| ocsf.actor.process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.creator.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.creator.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -198,15 +203,14 @@ This is the `Event` dataset. | ocsf.actor.process.file.modifier.email_addr | The image name. For example: elixir. | keyword | | ocsf.actor.process.file.modifier.full_name | The user's email address. | keyword | | ocsf.actor.process.file.modifier.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.modifier.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.modifier.groups.name | The group name. | keyword | | ocsf.actor.process.file.modifier.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.modifier.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.modifier.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.modifier.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -221,24 +225,21 @@ This is the `Event` dataset. | ocsf.actor.process.file.owner.email_addr | The user's email address. | keyword | | ocsf.actor.process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.file.owner.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.owner.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.owner.groups.name | The group name. | keyword | | ocsf.actor.process.file.owner.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.owner.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.owner.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.owner.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.actor.process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.actor.process.file.product.feature.name | The name of the feature. | keyword | -| ocsf.actor.process.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.actor.process.file.product.feature.version | The version of the feature. | keyword | +| ocsf.actor.process.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.actor.process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.actor.process.file.product.name | The name of the feature. | keyword | | ocsf.actor.process.file.product.path | The installation path of the product. | keyword | @@ -259,6 +260,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword | | ocsf.actor.process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword | | ocsf.actor.process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword | +| ocsf.actor.process.file.signature.certificate.uid | The unique identifier of the certificate. | keyword | | ocsf.actor.process.file.signature.certificate.version | The certificate version. | keyword | | ocsf.actor.process.file.signature.created_time | The time when the digital signature was created. | date | | ocsf.actor.process.file.signature.created_time_dt | The time when the digital signature was created. | date | @@ -273,12 +275,13 @@ This is the `Event` dataset. | ocsf.actor.process.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.actor.process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | | ocsf.actor.process.group.desc | The group description. | keyword | +| ocsf.actor.process.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.group.name | The group name. | keyword | | ocsf.actor.process.group.privileges | The group privileges. | keyword | | ocsf.actor.process.group.type | The type of the group or account. | keyword | | ocsf.actor.process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword | -| ocsf.actor.process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword | +| ocsf.actor.process.integrity_id | The normalized identifier of the process integrity level (Windows only). | integer | | ocsf.actor.process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword | | ocsf.actor.process.loaded_modules | The list of loaded module names. | keyword | | ocsf.actor.process.name | The friendly name of the process, for example: Notepad++. | keyword | @@ -316,15 +319,14 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.accessor.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.accessor.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.accessor.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.accessor.org.\* | | object | | ocsf.actor.process.parent_process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.accessor.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -332,7 +334,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.attributes | The Bitmask value that represents the file attributes. | long | | ocsf.actor.process.parent_process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword | | ocsf.actor.process.parent_process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword | +| ocsf.actor.process.parent_process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | integer | | ocsf.actor.process.parent_process.file.created_time | The time when the file was created. | date | | ocsf.actor.process.parent_process.file.created_time_dt | The time when the file was created. | date | | ocsf.actor.process.parent_process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword | @@ -344,15 +346,14 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.creator.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.file.creator.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.creator.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.creator.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.creator.name | The name of the city. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.creator.org.\* | | object | | ocsf.actor.process.parent_process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.creator.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -374,15 +375,14 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.modifier.email_addr | The image name. For example: elixir. | keyword | | ocsf.actor.process.parent_process.file.modifier.full_name | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.modifier.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.modifier.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.modifier.org.\* | | object | | ocsf.actor.process.parent_process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.modifier.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -397,24 +397,21 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.owner.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.file.owner.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.owner.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.owner.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.owner.org.\* | | object | | ocsf.actor.process.parent_process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.owner.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.actor.process.parent_process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.actor.process.parent_process.file.product.feature.name | The name of the feature. | keyword | -| ocsf.actor.process.parent_process.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.actor.process.parent_process.file.product.feature.version | The version of the feature. | keyword | +| ocsf.actor.process.parent_process.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.actor.process.parent_process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.actor.process.parent_process.file.product.name | The name of the feature. | keyword | | ocsf.actor.process.parent_process.file.product.path | The installation path of the product. | keyword | @@ -435,6 +432,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword | +| ocsf.actor.process.parent_process.file.signature.certificate.uid | The unique identifier of the certificate. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.version | The certificate version. | keyword | | ocsf.actor.process.parent_process.file.signature.created_time | The time when the digital signature was created. | date | | ocsf.actor.process.parent_process.file.signature.created_time_dt | The time when the digital signature was created. | date | @@ -449,12 +447,13 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.actor.process.parent_process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | | ocsf.actor.process.parent_process.group.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.group.name | The group name. | keyword | | ocsf.actor.process.parent_process.group.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.group.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.parent_process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword | -| ocsf.actor.process.parent_process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword | +| ocsf.actor.process.parent_process.integrity_id | The normalized identifier of the process integrity level (Windows only). | integer | | ocsf.actor.process.parent_process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword | | ocsf.actor.process.parent_process.loaded_modules | The list of loaded module names. | keyword | | ocsf.actor.process.parent_process.name | The friendly name of the process, for example: Notepad++. | keyword | @@ -471,6 +470,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.session.is_remote | The indication of whether the session is remote. | boolean | | ocsf.actor.process.parent_process.session.issuer | The identifier of the session issuer. | keyword | | ocsf.actor.process.parent_process.session.mfa | | boolean | +| ocsf.actor.process.parent_process.session.terminal | The Pseudo Terminal associated with the session. Ex, the tty or pts value. | keyword | | ocsf.actor.process.parent_process.session.uid | The unique identifier of the session. | keyword | | ocsf.actor.process.parent_process.session.uuid | The universally unique identifier of the session. | keyword | | ocsf.actor.process.parent_process.terminated_time | The time when the process was terminated. | date | @@ -486,15 +486,14 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.user.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.user.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.user.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.user.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.user.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.user.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.user.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.user.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.parent_process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.user.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -510,6 +509,7 @@ This is the `Event` dataset. | ocsf.actor.process.session.is_remote | The indication of whether the session is remote. | boolean | | ocsf.actor.process.session.issuer | The identifier of the session issuer. | keyword | | ocsf.actor.process.session.mfa | | boolean | +| ocsf.actor.process.session.terminal | The Pseudo Terminal associated with the session. Ex, the tty or pts value. | keyword | | ocsf.actor.process.session.uid | The unique identifier of the session. | keyword | | ocsf.actor.process.session.uuid | The universally unique identifier of the session. | keyword | | ocsf.actor.process.terminated_time | The time when the process was terminated. | date | @@ -525,29 +525,33 @@ This is the `Event` dataset. | ocsf.actor.process.user.email_addr | The user's email address. | keyword | | ocsf.actor.process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.user.groups.desc | The group description. | keyword | +| ocsf.actor.process.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.user.groups.name | The group name. | keyword | | ocsf.actor.process.user.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.user.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.user.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.user.org.\* | | object | | ocsf.actor.process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.user.type_id | The account type identifier. | keyword | | ocsf.actor.process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened | +| ocsf.actor.session.count | The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. | integer | | ocsf.actor.session.created_time | The time when the session was created. | date | | ocsf.actor.session.created_time_dt | The time when the session was created. | date | | ocsf.actor.session.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | +| ocsf.actor.session.expiration_reason | The reason which triggered the session expiration. | keyword | | ocsf.actor.session.expiration_time | The session expiration time. | date | | ocsf.actor.session.expiration_time_dt | The session expiration time. | date | +| ocsf.actor.session.is_mfa | Indicates whether Multi Factor Authentication was used during authentication. | boolean | | ocsf.actor.session.is_remote | The indication of whether the session is remote. | boolean | +| ocsf.actor.session.is_vpn | The indication of whether the session is a VPN session. | boolean | | ocsf.actor.session.issuer | The identifier of the session issuer. | keyword | | ocsf.actor.session.mfa | | boolean | +| ocsf.actor.session.terminal | The Pseudo Terminal associated with the session. Ex, the tty or pts value. | keyword | | ocsf.actor.session.uid | The unique identifier of the session. | keyword | +| ocsf.actor.session.uid_alt | The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. | keyword | | ocsf.actor.session.uuid | The universally unique identifier of the session. | keyword | | ocsf.actor.user.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | @@ -558,15 +562,14 @@ This is the `Event` dataset. | ocsf.actor.user.email_addr | The user's email address. | keyword | | ocsf.actor.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.user.groups.desc | The group description. | keyword | +| ocsf.actor.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.user.groups.name | The group name. | keyword | | ocsf.actor.user.groups.privileges | The group privileges. | keyword | | ocsf.actor.user.groups.type | The type of the group or account. | keyword | | ocsf.actor.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.user.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.user.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.user.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.user.type_id | The account type identifier. | keyword | | ocsf.actor.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -594,22 +597,48 @@ This is the `Event` dataset. | ocsf.answers.rdata | The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. | keyword | | ocsf.answers.ttl | The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. | long | | ocsf.answers.type | The type of data contained in this resource record. See RFC1035. For example: CNAME. | keyword | +| ocsf.api.group.desc | The group description. | text | +| ocsf.api.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | +| ocsf.api.group.name | The group name. | keyword | +| ocsf.api.group.privileges | The group privileges. | keyword | +| ocsf.api.group.type | The type of the group or account. | keyword | +| ocsf.api.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.api.operation | Verb/Operation associated with the request. | keyword | -| ocsf.api.request.flags | The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. | keyword | +| ocsf.api.request.containers.hash | Commit hash of image created for docker or the SHA256 hash of the container. | flattened | +| ocsf.api.request.containers.image | The container image used as a template to run the container. | flattened | +| ocsf.api.request.containers.name | The container name. | keyword | +| ocsf.api.request.containers.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword | +| ocsf.api.request.containers.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword | +| ocsf.api.request.containers.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword | +| ocsf.api.request.containers.runtime | The backend running the container, such as containerd or cri-o. | keyword | +| ocsf.api.request.containers.size | The size of the container image. | integer | +| ocsf.api.request.containers.tag | The tag used by the container. It can indicate version, format, OS. | keyword | +| ocsf.api.request.containers.uid | The full container unique identifier for this instantiation of the container. | keyword | +| ocsf.api.request.data | The additional data that is associated with the api request. | flattened | +| ocsf.api.request.flags | The list of communication flags, normalized to the captions of the flag_ids values. | keyword | | ocsf.api.request.uid | The unique request identifier. | keyword | -| ocsf.api.response.code | The numeric response sent to a request. | long | +| ocsf.api.response.code | The numeric response sent to a request. | integer | +| ocsf.api.response.containers.hash | Commit hash of image created for docker or the SHA256 hash of the container. | flattened | +| ocsf.api.response.containers.image | The container image used as a template to run the container. | flattened | +| ocsf.api.response.containers.name | The container name. | keyword | +| ocsf.api.response.containers.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword | +| ocsf.api.response.containers.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword | +| ocsf.api.response.containers.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword | +| ocsf.api.response.containers.runtime | The backend running the container, such as containerd or cri-o. | keyword | +| ocsf.api.response.containers.size | The size of the container image. | integer | +| ocsf.api.response.containers.tag | The tag used by the container. It can indicate version, format, OS. | keyword | +| ocsf.api.response.containers.uid | The full container unique identifier for this instantiation of the container. | keyword | +| ocsf.api.response.data | The additional data that is associated with the api response. | flattened | | ocsf.api.response.error | Error Code. | keyword | -| ocsf.api.response.error_message | Error Message. | keyword | -| ocsf.api.response.flags | The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. | keyword | -| ocsf.api.response.message | The description of the event, as defined by the event source. | keyword | +| ocsf.api.response.error_message | Error Message. | text | +| ocsf.api.response.flags | The list of communication flags, normalized to the captions of the flag_ids values. | keyword | +| ocsf.api.response.message | The description of the event/finding, as defined by the source. | text | | ocsf.api.service.labels | The list of labels associated with the service. | keyword | | ocsf.api.service.name | The name of the service. | keyword | | ocsf.api.service.uid | The unique identifier of the service. | keyword | | ocsf.api.service.version | The version of the service. | keyword | | ocsf.api.version | The version of the API service. | keyword | -| ocsf.app.feature.name | The name of the feature. | keyword | -| ocsf.app.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.app.feature.version | The version of the feature. | keyword | +| ocsf.app.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.app.lang | The two letter lower case language codes, as defined by ISO 639-1. | keyword | | ocsf.app.name | The CIS benchmark name. | keyword | | ocsf.app.path | The installation path of the product. | keyword | @@ -618,6 +647,8 @@ This is the `Event` dataset. | ocsf.app.vendor_name | The name of the vendor of the product. | keyword | | ocsf.app.version | The version of the product, as defined by the event source. | keyword | | ocsf.app_name | The name of the application that is associated with the event or object. | keyword | +| ocsf.assignee | The details of the user assigned to an Incident. | flattened | +| ocsf.assignee_group | The details of the group assigned to an Incident. | flattened | | ocsf.attacks.tactics.name | The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. | keyword | | ocsf.attacks.tactics.uid | The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. | keyword | | ocsf.attacks.technique.name | The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise. | keyword | @@ -626,6 +657,17 @@ This is the `Event` dataset. | ocsf.attempt | The attempt number for attempting to deliver the email. | long | | ocsf.auth_protocol | The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.auth_protocol_id | The normalized identifier of the authentication protocol used to create the user session. | keyword | +| ocsf.authorizations.decision | Authorization Result/outcome, e.g. allowed, denied. | keyword | +| ocsf.authorizations.policy.desc | The description of the policy. | keyword | +| ocsf.authorizations.policy.group.desc | The group description. | keyword | +| ocsf.authorizations.policy.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | +| ocsf.authorizations.policy.group.name | The group name. | keyword | +| ocsf.authorizations.policy.group.privileges | The group privileges. | keyword | +| ocsf.authorizations.policy.group.type | The type of the group or account. | keyword | +| ocsf.authorizations.policy.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.authorizations.policy.name | The policy name. For example: IAM Policy. | keyword | +| ocsf.authorizations.policy.uid | A unique identifier of the policy instance. | keyword | +| ocsf.authorizations.policy.version | The policy version number. | keyword | | ocsf.banner | The initial SMTP connection response that a messaging server receives after it connects to a email server. | keyword | | ocsf.base_address | The memory address that was access or requested. | keyword | | ocsf.capabilities | A list of RDP capabilities. | keyword | @@ -646,7 +688,9 @@ This is the `Event` dataset. | ocsf.cis_benchmark_result.desc | The CIS benchmark description. | keyword | | ocsf.cis_benchmark_result.name | The CIS benchmark name. | keyword | | ocsf.cis_benchmark_result.remediation.desc | The description of the remediation strategy. | keyword | +| ocsf.cis_benchmark_result.remediation.kb_article_list | A list of KB articles or patches related to an endpoint. | flattened | | ocsf.cis_benchmark_result.remediation.kb_articles | The KB article/s related to the entity. | keyword | +| ocsf.cis_benchmark_result.remediation.references | A list of supporting URL/s, references that help describe the remediation strategy. | keyword | | ocsf.cis_benchmark_result.rule.category | The rule category. | keyword | | ocsf.cis_benchmark_result.rule.desc | The description of the rule that generated the event. | keyword | | ocsf.cis_benchmark_result.rule.name | The name of the rule that generated the event. | keyword | @@ -677,10 +721,15 @@ This is the `Event` dataset. | ocsf.codes | The list of return codes to the FTP command. | long | | ocsf.command | The command name. | keyword | | ocsf.command_responses | The list of responses to the FTP command. | keyword | +| ocsf.command_uid | The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated. | keyword | | ocsf.comment | The user provided comment about why the entity was changed. | keyword | -| ocsf.compliance.requirements | A list of applicable compliance requirements for which this finding is related to. | keyword | -| ocsf.compliance.status | The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.compliance.status_detail | The status details contains additional information about the event outcome. | keyword | +| ocsf.compliance.control | A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls. | keyword | +| ocsf.compliance.requirements | A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10. | keyword | +| ocsf.compliance.standards | Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001. | keyword | +| ocsf.compliance.status | The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. | keyword | +| ocsf.compliance.status_code | The resultant status code of the compliance check. | keyword | +| ocsf.compliance.status_detail | The contextual description of the status, status_code values. | text | +| ocsf.compliance.status_id | The normalized status identifier of the compliance check. | integer | | ocsf.component | The name or relative pathname of a sub-component of the data object, if applicable. | keyword | | ocsf.confidence | The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.confidence_id | The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature. | keyword | @@ -699,6 +748,8 @@ This is the `Event` dataset. | ocsf.count | The number of times that events in the same logical group occurred during the event Start Time to End Time period. | long | | ocsf.create_mask | The original Windows mask that is required to create the object. | keyword | | ocsf.data_sources | The data sources for the finding. | keyword | +| ocsf.database | The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data. | flattened | +| ocsf.databucket | The data bucket object is a basic container that holds data, typically organized through the use of data partitions. | flattened | | ocsf.dce_rpc.command | The request command (e.g. REQUEST, BIND). | keyword | | ocsf.dce_rpc.command_response | The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). | keyword | | ocsf.dce_rpc.flags | The list of interface flags. | keyword | @@ -707,7 +758,9 @@ This is the `Event` dataset. | ocsf.dce_rpc.rpc_interface.ack_result | An integer that denotes the acknowledgment result of the DCE/RPC call. | long | | ocsf.dce_rpc.rpc_interface.uuid | The unique identifier of the particular remote procedure or service. | keyword | | ocsf.dce_rpc.rpc_interface.version | The version of the DCE/RPC protocol being used in the session. | keyword | +| ocsf.desc | The short description of the incident. | keyword | | ocsf.device.autoscale_uid | The unique identifier of the cloud autoscale configuration. | keyword | +| ocsf.device.container | The information describing an instance of a container. | flattened | | ocsf.device.created_time | The time when the device was known to have been created. | date | | ocsf.device.created_time_dt | TThe time when the device was known to have been created. | date | | ocsf.device.desc | The description of the device, ordinarily as reported by the operating system. | keyword | @@ -715,6 +768,7 @@ This is the `Event` dataset. | ocsf.device.first_seen_time | The initial discovery time of the device. | date | | ocsf.device.first_seen_time_dt | The initial discovery time of the device. | date | | ocsf.device.groups.desc | The group description. | keyword | +| ocsf.device.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.device.groups.name | The group name. | keyword | | ocsf.device.groups.privileges | The group privileges. | keyword | | ocsf.device.groups.type | The type of the group or account. | keyword | @@ -772,6 +826,7 @@ This is the `Event` dataset. | ocsf.device.modified_time | The time when the device was last known to have been modified. | date | | ocsf.device.modified_time_dt | The time when the device was last known to have been modified. | date | | ocsf.device.name | The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. | keyword | +| ocsf.device.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | | ocsf.device.network_interfaces.hostname | The hostname associated with the network interface. | keyword | | ocsf.device.network_interfaces.ip | The IP address associated with the network interface. | ip | | ocsf.device.network_interfaces.mac | The MAC address of the network interface. | keyword | @@ -808,6 +863,7 @@ This is the `Event` dataset. | ocsf.device.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.device.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.device.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.device.zone | The network zone or LAN segment. | keyword | | ocsf.dialect | The negotiated protocol dialect. | keyword | | ocsf.direction | The direction of the email, as defined by the direction_id value. | keyword | | ocsf.direction_id | The direction of the email relative to the scanning host or organization. | keyword | @@ -829,10 +885,7 @@ This is the `Event` dataset. | ocsf.driver.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.accessor.org.\* | | object | | ocsf.driver.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.accessor.type_id | The account type identifier. | keyword | | ocsf.driver.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -857,10 +910,7 @@ This is the `Event` dataset. | ocsf.driver.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.creator.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.creator.org.\* | | object | | ocsf.driver.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.creator.type_id | The account type identifier. | keyword | | ocsf.driver.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -887,10 +937,7 @@ This is the `Event` dataset. | ocsf.driver.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.modifier.org.\* | | object | | ocsf.driver.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.modifier.type_id | The account type identifier. | keyword | | ocsf.driver.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -910,19 +957,14 @@ This is the `Event` dataset. | ocsf.driver.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.owner.org.\* | | object | | ocsf.driver.file.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.owner.type_id | The account type identifier. | keyword | | ocsf.driver.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.driver.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.driver.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.driver.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.driver.file.product.feature.name | The name of the feature. | keyword | -| ocsf.driver.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.driver.file.product.feature.version | The version of the feature. | keyword | +| ocsf.driver.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.driver.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.driver.file.product.name | The name of the product. | keyword | | ocsf.driver.file.product.path | The installation path of the product. | keyword | @@ -955,8 +997,10 @@ This is the `Event` dataset. | ocsf.driver.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword | | ocsf.driver.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.driver.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | +| ocsf.dst_endpoint.container | The information describing an instance of a container. | flattened | | ocsf.dst_endpoint.domain | The name of the domain. | keyword | | ocsf.dst_endpoint.hostname | The fully qualified name of the endpoint. | keyword | +| ocsf.dst_endpoint.hw_info | The endpoint hardware information. | flattened | | ocsf.dst_endpoint.instance_uid | The unique identifier of a VM instance. | keyword | | ocsf.dst_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword | | ocsf.dst_endpoint.interface_uid | The unique identifier of the network interface. | keyword | @@ -974,12 +1018,18 @@ This is the `Event` dataset. | ocsf.dst_endpoint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | | ocsf.dst_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword | | ocsf.dst_endpoint.name | The short name of the endpoint. | keyword | +| ocsf.dst_endpoint.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | +| ocsf.dst_endpoint.os | The endpoint operating system. | flattened | | ocsf.dst_endpoint.port | The port used for communication within the network connection. | long | +| ocsf.dst_endpoint.proxy_endpoint | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). | flattened | | ocsf.dst_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | | ocsf.dst_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | +| ocsf.dst_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | +| ocsf.dst_endpoint.type_id | The network endpoint type ID. | keyword | | ocsf.dst_endpoint.uid | The unique identifier of the endpoint. | keyword | | ocsf.dst_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.dst_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.dst_endpoint.zone | The network zone or LAN segment. | keyword | | ocsf.duration | The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. | long | | ocsf.email.cc | The email header Cc values, as defined by RFC 5322. | keyword | | ocsf.email.delivered_to | The Delivered-To email header field. | keyword | @@ -1020,6 +1070,7 @@ This is the `Event` dataset. | ocsf.entity_result.uid | The identifier of the managed entity. | keyword | | ocsf.entity_result.version | The version of the managed entity. | keyword | | ocsf.evidence | The data the finding exposes to the analyst. | flattened | +| ocsf.evidences | Describes various evidence artifacts associated to the activity/activities that triggered a security detection. | flattened | | ocsf.exit_code | The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. | keyword | | ocsf.expiration_time | The share expiration time. | date | | ocsf.expiration_time_dt | The share expiration time. | date | @@ -1038,6 +1089,7 @@ This is the `Event` dataset. | ocsf.file.accessor.groups.privileges | The group privileges. | keyword | | ocsf.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.accessor.ldap_person | The LDAP person object. | flattened | | ocsf.file.accessor.name | The username. For example, janedoe1. | keyword | | ocsf.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1066,6 +1118,7 @@ This is the `Event` dataset. | ocsf.file.creator.groups.privileges | The group privileges. | keyword | | ocsf.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.creator.ldap_person | The LDAP person object. | flattened | | ocsf.file.creator.name | The username. For example, janedoe1. | keyword | | ocsf.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1096,6 +1149,7 @@ This is the `Event` dataset. | ocsf.file.modifier.groups.privileges | The group privileges. | keyword | | ocsf.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.modifier.ldap_person | The LDAP person object. | flattened | | ocsf.file.modifier.name | The username. For example, janedoe1. | keyword | | ocsf.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1119,6 +1173,7 @@ This is the `Event` dataset. | ocsf.file.owner.groups.privileges | The group privileges. | keyword | | ocsf.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.owner.ldap_person | The LDAP person object. | flattened | | ocsf.file.owner.name | The username. For example, janedoe1. | keyword | | ocsf.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1130,9 +1185,7 @@ This is the `Event` dataset. | ocsf.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.file.product.feature.name | The name of the feature. | keyword | -| ocsf.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.file.product.feature.version | The version of the feature. | keyword | +| ocsf.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.file.product.name | The name of the product. | keyword | | ocsf.file.product.path | The installation path of the product. | keyword | @@ -1274,9 +1327,7 @@ This is the `Event` dataset. | ocsf.file_result.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.file_result.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.file_result.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.file_result.product.feature.name | The name of the feature. | keyword | -| ocsf.file_result.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.file_result.product.feature.version | The version of the feature. | keyword | +| ocsf.file_result.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.file_result.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.file_result.product.name | The name of the product. | keyword | | ocsf.file_result.product.path | The installation path of the product. | keyword | @@ -1324,12 +1375,16 @@ This is the `Event` dataset. | ocsf.finding.related_events.type_uid | The unique identifier of the related event type. For example: 100701. | keyword | | ocsf.finding.related_events.uid | The unique identifier of the related event. | keyword | | ocsf.finding.remediation.desc | The description of the remediation strategy. | keyword | +| ocsf.finding.remediation.kb_article_list | A list of KB articles or patches related to an endpoint. | flattened | | ocsf.finding.remediation.kb_articles | The KB article/s related to the entity. | keyword | +| ocsf.finding.remediation.references | A list of supporting URL/s, references that help describe the remediation strategy. | keyword | | ocsf.finding.src_url | The URL pointing to the source of the finding. | keyword | | ocsf.finding.supporting_data | Additional data supporting a finding as provided by security tool. | flattened | | ocsf.finding.title | The title of the reported finding. | keyword | | ocsf.finding.types | One or more types of the reported finding. | keyword | | ocsf.finding.uid | The unique identifier of the reported finding. | keyword | +| ocsf.finding_info | Describes the supporting information about a generated finding. | flattened | +| ocsf.firewall_rule | The firewall rule that triggered the event. | flattened | | ocsf.group.desc | The group description. | keyword | | ocsf.group.name | The group name. | keyword | | ocsf.group.privileges | The group privileges. | keyword | @@ -1372,6 +1427,18 @@ This is the `Event` dataset. | ocsf.is_new_logon | Indicates logon is from a device not seen before or a first time account logon. | boolean | | ocsf.is_remote | The attempted authentication is over a remote connection. | boolean | | ocsf.is_renewal | The indication of whether this is a lease/session renewal event. | boolean | +| ocsf.kb_article_list.bulletin | The kb article bulletin identifier. | keyword | +| ocsf.kb_article_list.classification | The vendors classification of the kb article. | keyword | +| ocsf.kb_article_list.created_time | The date the kb article was released by the vendor. | long | +| ocsf.kb_article_list.created_time_dt | The date the kb article was released by the vendor. | date | +| ocsf.kb_article_list.is_superseded | The patch is superseded | boolean | +| ocsf.kb_article_list.os | The operating system the kb article applies. | flattened | +| ocsf.kb_article_list.product | The product details the kb article applies. | flattened | +| ocsf.kb_article_list.severity | The severity of the kb article. | keyword | +| ocsf.kb_article_list.size | The size in bytes for the kb article. | long | +| ocsf.kb_article_list.src_url | The kb article link from the source vendor. | keyword | +| ocsf.kb_article_list.title | The title of the kb article. | keyword | +| ocsf.kb_article_list.uid | The unique identifier for the kb article. | keyword | | ocsf.kernel.is_system | The indication of whether the object is part of the operating system. | boolean | | ocsf.kernel.name | The name of the kernel resource. | keyword | | ocsf.kernel.path | The full path of the kernel resource. | keyword | @@ -1381,6 +1448,7 @@ This is the `Event` dataset. | ocsf.kill_chain.phase | The cyber kill chain phase. | keyword | | ocsf.kill_chain.phase_id | The cyber kill chain phase identifier. | keyword | | ocsf.lease_dur | This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1) | long | +| ocsf.load_balancer | The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations. | flattened | | ocsf.logon_type | The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.logon_type_id | The normalized logon type identifier | keyword | | ocsf.malware.classification_ids | The list of normalized identifiers of the malware classifications. | keyword | @@ -1399,9 +1467,7 @@ This is the `Event` dataset. | ocsf.malware.cves.cwe_url | Common Weakness Enumeration (CWE) definition URL. | keyword | | ocsf.malware.cves.modified_time | The Record Modified Date identifies when the CVE record was last updated. | date | | ocsf.malware.cves.modified_time_dt | The Record Modified Date identifies when the CVE record was last updated. | date | -| ocsf.malware.cves.product.feature.name | The name of the feature. | keyword | -| ocsf.malware.cves.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.malware.cves.product.feature.version | The version of the feature. | keyword | +| ocsf.malware.cves.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.malware.cves.product.lang | The two letter lower case language codes, as defined by ISO 639-1. | keyword | | ocsf.malware.cves.product.name | The name of the product. | keyword | | ocsf.malware.cves.product.path | The installation path of the product. | keyword | @@ -1421,20 +1487,24 @@ This is the `Event` dataset. | ocsf.metadata.extension.name | The schema extension name. For example: dev. | keyword | | ocsf.metadata.extension.uid | The schema extension unique identifier. For example: 999. | keyword | | ocsf.metadata.extension.version | The schema extension version. For example: 1.0.0-alpha.2. | keyword | +| ocsf.metadata.extensions.name | The schema extension name. For example: dev. | keyword | +| ocsf.metadata.extensions.uid | The schema extension unique identifier. For example: 999. | keyword | +| ocsf.metadata.extensions.version | The schema extension version. For example: 1.0.0-alpha.2. | keyword | | ocsf.metadata.labels | The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. | keyword | +| ocsf.metadata.log_level | The log level of the event. | keyword | | ocsf.metadata.log_name | The event log name. For example, syslog file name or Windows logging subsystem: Security. | keyword | | ocsf.metadata.log_provider | The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. | keyword | | ocsf.metadata.log_version | The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. | keyword | | ocsf.metadata.logged_time | The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. | date | | ocsf.metadata.logged_time_dt | The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. | date | +| ocsf.metadata.loggers | An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. | flattened | | ocsf.metadata.modified_time | The time when the event was last modified or enriched. | date | | ocsf.metadata.modified_time_dt | The time when the event was last modified or enriched. | date | | ocsf.metadata.original_time | The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. | keyword | | ocsf.metadata.processed_time | The event processed time, such as an ETL operation. | date | | ocsf.metadata.processed_time_dt | The event processed time, such as an ETL operation. | date | -| ocsf.metadata.product.feature.name | The name of the feature. | keyword | -| ocsf.metadata.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.metadata.product.feature.version | The version of the feature. | keyword | +| ocsf.metadata.product.cpe_name | The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. | keyword | +| ocsf.metadata.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.metadata.product.lang | The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.metadata.product.name | The name of the product. | keyword | | ocsf.metadata.product.path | The installation path of the product. | keyword | @@ -1444,6 +1514,7 @@ This is the `Event` dataset. | ocsf.metadata.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword | | ocsf.metadata.profiles | The list of profiles used to create the event. | keyword | | ocsf.metadata.sequence | Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. | long | +| ocsf.metadata.tenant_uid | The audit level at which an event was generated. | keyword | | ocsf.metadata.uid | The logging system-assigned unique identifier of an event instance. | keyword | | ocsf.metadata.version | The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes. | keyword | | ocsf.module.base_address | The memory address where the module was loaded. | keyword | @@ -1463,10 +1534,7 @@ This is the `Event` dataset. | ocsf.module.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.module.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.accessor.org.\* | | object | | ocsf.module.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.accessor.type_id | The account type identifier. | keyword | | ocsf.module.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1491,10 +1559,7 @@ This is the `Event` dataset. | ocsf.module.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.module.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.creator.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.creator.org.\* | | object | | ocsf.module.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.creator.type_id | The account type identifier. | keyword | | ocsf.module.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1521,10 +1586,7 @@ This is the `Event` dataset. | ocsf.module.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.module.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.modifier.org.\* | | object | | ocsf.module.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.modifier.type_id | The account type identifier. | keyword | | ocsf.module.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1544,19 +1606,14 @@ This is the `Event` dataset. | ocsf.module.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.module.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.owner.org.\* | | object | | ocsf.module.file.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.owner.type_id | The account type identifier. | keyword | | ocsf.module.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.module.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.module.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.module.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.module.file.product.feature.name | The name of the feature. | keyword | -| ocsf.module.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.module.file.product.feature.version | The version of the feature. | keyword | +| ocsf.module.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.module.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.module.file.product.name | The name of the product. | keyword | | ocsf.module.file.product.path | The installation path of the product. | keyword | @@ -1596,6 +1653,7 @@ This is the `Event` dataset. | ocsf.module.type | The module type. | keyword | | ocsf.name | The name of the data affiliated with the command. | keyword | | ocsf.nist | The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. | keyword | +| ocsf.num_\* | The number fields for counting various item scan results. | integer | | ocsf.observables.name | The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name. | keyword | | ocsf.observables.reputation.base_score | The reputation score as reported by the event source. | double | | ocsf.observables.reputation.provider | The provider of the reputation information. | keyword | @@ -1605,7 +1663,13 @@ This is the `Event` dataset. | ocsf.observables.type_id | The observable value type identifier. | keyword | | ocsf.observables.value | The value associated with the observable attribute. | keyword | | ocsf.open_type | Indicates how the file was opened (e.g. normal, delete on close). | keyword | +| ocsf.policy | The policy that was used to scan the device. | flattened | | ocsf.port | The dynamic port established for impending data transfers. | long | +| ocsf.precision | The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. | integer | +| ocsf.prev_security_states.state | The security state, normalized to the caption of the state_id value. | keyword | +| ocsf.prev_security_states.state_id | The security state of the managed entity. | keyword | +| ocsf.priority | The priority, normalized to the caption of the priority_id value. | keyword | +| ocsf.priority_id | The priority, normalized to the ID of the priority_id value. | integer | | ocsf.privileges | The list of sensitive privileges, assigned to the new user session. | keyword | | ocsf.protocol_ver | The Protocol version. | keyword | | ocsf.proxy.domain | The name of the domain. | keyword | @@ -1633,16 +1697,55 @@ This is the `Event` dataset. | ocsf.proxy.uid | The unique identifier of the endpoint. | keyword | | ocsf.proxy.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.proxy.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.proxy_connection_info | The connection information from the proxy server to the remote server. | flattened | +| ocsf.proxy_endpoint.container | The information describing an instance of a container. | flattened | +| ocsf.proxy_endpoint.domain | The name of the domain. | keyword | +| ocsf.proxy_endpoint.hostname | The fully qualified name of the endpoint. | keyword | +| ocsf.proxy_endpoint.hw_info | The endpoint hardware information. | flattened | +| ocsf.proxy_endpoint.instance_uid | The unique identifier of a VM instance. | keyword | +| ocsf.proxy_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword | +| ocsf.proxy_endpoint.interface_uid | The unique identifier of the network interface. | keyword | +| ocsf.proxy_endpoint.intermediate_ips | The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. | ip | +| ocsf.proxy_endpoint.ip | The IP address of the endpoint, in either IPv4 or IPv6 format. | ip | +| ocsf.proxy_endpoint.location.city | The name of the city. | keyword | +| ocsf.proxy_endpoint.location.continent | The name of the continent. | keyword | +| ocsf.proxy_endpoint.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point | +| ocsf.proxy_endpoint.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword | +| ocsf.proxy_endpoint.location.desc | The description of the geographical location. | keyword | +| ocsf.proxy_endpoint.location.is_on_premises | The indication of whether the location is on premises. | boolean | +| ocsf.proxy_endpoint.location.isp | The name of the Internet Service Provider (ISP). | keyword | +| ocsf.proxy_endpoint.location.postal_code | The postal code of the location. | keyword | +| ocsf.proxy_endpoint.location.provider | The provider of the geographical location data. | keyword | +| ocsf.proxy_endpoint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | +| ocsf.proxy_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword | +| ocsf.proxy_endpoint.name | The short name of the endpoint. | keyword | +| ocsf.proxy_endpoint.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | +| ocsf.proxy_endpoint.os | The endpoint operating system. | flattened | +| ocsf.proxy_endpoint.port | The port used for communication within the network connection. | long | +| ocsf.proxy_endpoint.proxy_endpoint | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). | flattened | +| ocsf.proxy_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | +| ocsf.proxy_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | +| ocsf.proxy_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | +| ocsf.proxy_endpoint.type_id | The network endpoint type ID. | keyword | +| ocsf.proxy_endpoint.uid | The unique identifier of the endpoint. | keyword | +| ocsf.proxy_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | +| ocsf.proxy_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.proxy_endpoint.zone | The network zone or LAN segment. | keyword | +| ocsf.proxy_http_request | The HTTP Request from the proxy server to the remote server. | flattened | +| ocsf.proxy_http_response | The HTTP Response from the remote server to the proxy server. | flattened | +| ocsf.proxy_tls | The TLS protocol negotiated between the proxy server and the remote server. | flattened | +| ocsf.proxy_traffic | The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time. | flattened | | ocsf.query.class | The class of resource records being queried. See RFC1035. For example: IN. | keyword | | ocsf.query.hostname | The hostname or domain being queried. For example: www.example.com | keyword | | ocsf.query.opcode | The DNS opcode specifies the type of the query message. | keyword | | ocsf.query.opcode_id | The DNS opcode ID specifies the normalized query message type. | keyword | | ocsf.query.packet_uid | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | ocsf.query.type | The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS. | keyword | +| ocsf.query_info | The query info object holds information related to data access within a datastore. | flattened | | ocsf.query_time | The Domain Name System (DNS) query time. | date | | ocsf.query_time_dt | The Domain Name System (DNS) query time. | date | | ocsf.raw_data | The event data as received from the event source. | flattened | -| ocsf.raw_data_keyword | | keyword | +| ocsf.raw_data_keyword | The event data as received from the event source. | match_only_text | | ocsf.rcode | The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.rcode_id | The normalized identifier of the DNS server response code. | keyword | | ocsf.relay.hostname | The hostname associated with the network interface. | keyword | @@ -1654,6 +1757,10 @@ This is the `Event` dataset. | ocsf.relay.type | The type of network interface. | keyword | | ocsf.relay.type_id | The network interface type identifier. | keyword | | ocsf.relay.uid | The unique identifier for the network interface. | keyword | +| ocsf.remediation.desc | The description of the remediation strategy. | keyword | +| ocsf.remediation.kb_article_list | A list of KB articles or patches related to an endpoint. | flattened | +| ocsf.remediation.kb_articles | The KB article/s related to the entity. | keyword | +| ocsf.remediation.references | A list of supporting URL/s, references that help describe the remediation strategy. | keyword | | ocsf.remote_display.color_depth | The numeric color depth. | long | | ocsf.remote_display.physical_height | The numeric physical height of display. | long | | ocsf.remote_display.physical_orientation | The numeric physical orientation of display. | long | @@ -1662,42 +1769,6 @@ This is the `Event` dataset. | ocsf.request.flags | The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. | date | | ocsf.request.uid | The unique request identifier. | keyword | | ocsf.requested_permissions | The permissions mask that were requested by the process. | long | -| ocsf.resource.cloud_partition | The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov). | keyword | -| ocsf.resource.criticality | The criticality of the resource as defined by the event source. | keyword | -| ocsf.resource.data | Additional data describing the resource. | flattened | -| ocsf.resource.group.desc | The group description. | keyword | -| ocsf.resource.group.name | The group name. | keyword | -| ocsf.resource.group.privileges | The group privileges. | keyword | -| ocsf.resource.group.type | The type of the group or account. | keyword | -| ocsf.resource.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | -| ocsf.resource.labels | The list of labels/tags associated to a resource. | keyword | -| ocsf.resource.name | The name of the resource. | keyword | -| ocsf.resource.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | -| ocsf.resource.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.resource.owner.account.type_id | The normalized account type identifier. | keyword | -| ocsf.resource.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | -| ocsf.resource.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | -| ocsf.resource.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | -| ocsf.resource.owner.email_addr | The user's email address. | keyword | -| ocsf.resource.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | -| ocsf.resource.owner.groups.desc | The group description. | keyword | -| ocsf.resource.owner.groups.name | The group name. | keyword | -| ocsf.resource.owner.groups.privileges | The group privileges. | keyword | -| ocsf.resource.owner.groups.type | The type of the group or account. | keyword | -| ocsf.resource.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | -| ocsf.resource.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.resource.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.resource.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.resource.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.resource.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | -| ocsf.resource.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.resource.owner.type_id | The account type identifier. | keyword | -| ocsf.resource.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | -| ocsf.resource.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | -| ocsf.resource.region | The cloud region of the resource. | keyword | -| ocsf.resource.type | The resource type as defined by the event source. | keyword | -| ocsf.resource.uid | The unique identifier of the resource. | keyword | -| ocsf.resource.version | The version of the resource. For example 1.2.3. | keyword | | ocsf.resources.cloud_partition | The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov). | keyword | | ocsf.resources.criticality | The criticality of the resource as defined by the event source. | keyword | | ocsf.resources.data | Additional data describing the resource. | flattened | @@ -1708,6 +1779,7 @@ This is the `Event` dataset. | ocsf.resources.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.resources.labels | The list of labels/tags associated to a resource. | keyword | | ocsf.resources.name | The name of the resource. | keyword | +| ocsf.resources.namespace | The namespace is useful when similar entities exist that you need to keep separate. | keyword | | ocsf.resources.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.resources.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.resources.owner.account.type_id | The normalized account type identifier. | keyword | @@ -1720,7 +1792,9 @@ This is the `Event` dataset. | ocsf.resources.owner.groups.name | The group name. | keyword | | ocsf.resources.owner.groups.privileges | The group privileges. | keyword | | ocsf.resources.owner.groups.type | The type of the group or account. | keyword | +| ocsf.resources.owner.groups.type_id | The resource group type identifier. | keyword | | ocsf.resources.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.resources.owner.ldap_person | The LDAP person object. | flattened | | ocsf.resources.owner.name | The username. For example, janedoe1. | keyword | | ocsf.resources.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.resources.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1732,6 +1806,7 @@ This is the `Event` dataset. | ocsf.resources.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.resources.region | The cloud region of the resource. | keyword | | ocsf.resources.type | The resource type as defined by the event source. | keyword | +| ocsf.resources.type_id | The resource type identifier. | keyword | | ocsf.resources.uid | The unique identifier of the resource. | keyword | | ocsf.resources.version | The version of the resource. For example 1.2.3. | keyword | | ocsf.response.code | The numeric response sent to a request. | long | @@ -1744,6 +1819,15 @@ This is the `Event` dataset. | ocsf.risk_level | The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.risk_level_id | The normalized risk level id. | keyword | | ocsf.risk_score | The risk score as reported by the event source. | long | +| ocsf.scan.name | The administrator-supplied or application-generated name of the scan. | keyword | +| ocsf.scan.type | The type of scan. | keyword | +| ocsf.scan.type_id | The type id of the scan. | keyword | +| ocsf.scan.uid | The application-defined unique identifier assigned to an instance of a scan. | keyword | +| ocsf.schedule_uid | The unique identifier of the schedule associated with a scan job. | keyword | +| ocsf.security_level | The current security level of the entity. | keyword | +| ocsf.security_level_id | The current security level of the entity. | integer | +| ocsf.security_states.state | The security state, normalized to the caption of the state_id value. | keyword | +| ocsf.security_states.state_id | The security state of the managed entity. | keyword | | ocsf.server_hassh.algorithm | The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation. | keyword | | ocsf.server_hassh.fingerprint.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.server_hassh.fingerprint.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | @@ -1769,8 +1853,10 @@ This is the `Event` dataset. | ocsf.share_type_id | The normalized identifier of the SMB share type. | keyword | | ocsf.size | The memory size that was access or requested. | long | | ocsf.smtp_hello | The value of the SMTP HELO or EHLO command sent by the initiator (client). | keyword | +| ocsf.src_endpoint.container | The information describing an instance of a container. | flattened | | ocsf.src_endpoint.domain | The name of the domain. | keyword | | ocsf.src_endpoint.hostname | The fully qualified name of the endpoint. | keyword | +| ocsf.src_endpoint.hw_info | The endpoint hardware information. | flattened | | ocsf.src_endpoint.instance_uid | The unique identifier of a VM instance. | keyword | | ocsf.src_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword | | ocsf.src_endpoint.interface_uid | The unique identifier of the network interface. | keyword | @@ -1788,12 +1874,19 @@ This is the `Event` dataset. | ocsf.src_endpoint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | | ocsf.src_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword | | ocsf.src_endpoint.name | The short name of the endpoint. | keyword | +| ocsf.src_endpoint.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | +| ocsf.src_endpoint.os | The endpoint operating system. | flattened | | ocsf.src_endpoint.port | The port used for communication within the network connection. | long | +| ocsf.src_endpoint.proxy_endpoint | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). | flattened | | ocsf.src_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | | ocsf.src_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | +| ocsf.src_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | +| ocsf.src_endpoint.type_id | The network endpoint type ID. | keyword | | ocsf.src_endpoint.uid | The unique identifier of the endpoint. | keyword | | ocsf.src_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.src_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.src_endpoint.zone | The network zone or LAN segment. | keyword | +| ocsf.src_url | A Url link used to access the original incident. | keyword | | ocsf.start_time | The start time of a time period, or the time of the least recent event included in the aggregate event. | date | | ocsf.start_time_dt | The start time of a time period, or the time of the least recent event included in the aggregate event. | date | | ocsf.state | The normalized state of a security finding. | keyword | @@ -1802,6 +1895,9 @@ This is the `Event` dataset. | ocsf.status_code | The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. | keyword | | ocsf.status_detail | The status details contains additional information about the event outcome. | keyword | | ocsf.status_id | The normalized identifier of the event status. | keyword | +| ocsf.stratum | The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value. | keyword | +| ocsf.stratum_id | The normalized identifier of the stratum level, as defined in RFC-5905. | integer | +| ocsf.table | The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried. | flattened | | ocsf.time | The normalized event occurrence time. | date | | ocsf.time_dt | The normalized event occurrence time. | date | | ocsf.timezone_offset | The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080. | long | @@ -1836,6 +1932,7 @@ This is the `Event` dataset. | ocsf.tls.server_ciphers | The server cipher suites that were exchanged during the TLS handshake negotiation. | keyword | | ocsf.tls.sni | The Server Name Indication (SNI) extension sent by the client. | keyword | | ocsf.tls.version | The TLS protocol version. | keyword | +| ocsf.total | The total number of items that were scanned; zero if no items were scanned. | integer | | ocsf.traffic.bytes | The total number of bytes (in and out). | long | | ocsf.traffic.bytes_in | The number of bytes sent from the destination to the source. | long | | ocsf.traffic.bytes_out | The number of bytes sent from the source to the destination. | long | @@ -1844,7 +1941,8 @@ This is the `Event` dataset. | ocsf.traffic.packets_out | The number of packets sent from the source to the destination. | long | | ocsf.transaction_uid | The unique identifier of the transaction. This is typically a random number generated from the client to associate a dhcp request/response pair. | keyword | | ocsf.tree_uid | The tree id is a unique SMB identifier which represents an open connection to a share. | keyword | -| ocsf.type | The type of FTP network connection (e.g. active, passive). | keyword | +| ocsf.type | The type the event. | keyword | +| ocsf.type_id | The normalized event type identifier. | keyword | | ocsf.type_name | The event type name, as defined by the type_uid. | keyword | | ocsf.type_uid | The event type ID. It identifies the events semantics and structure. The value is calculated by the logging system as: class_uid \* 100 + activity_id. | keyword | | ocsf.unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | flattened | @@ -1867,15 +1965,65 @@ This is the `Event` dataset. | ocsf.user.email_addr | The user's email address. | keyword | | ocsf.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.user.groups.desc | The group description. | keyword | +| ocsf.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.user.groups.name | The group name. | keyword | | ocsf.user.groups.privileges | The group privileges. | keyword | | ocsf.user.groups.type | The type of the group or account. | keyword | | ocsf.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.user.ldap_person.cost_center | The cost center associated with the user. | keyword | +| ocsf.user.ldap_person.created_time | The timestamp when the user was created. | date | +| ocsf.user.ldap_person.created_time_dt | The date when the user was created. | date | +| ocsf.user.ldap_person.deleted_time | The timestamp when the user was deleted. | date | +| ocsf.user.ldap_person.deleted_time_dt | The date when the user was deleted. | date | +| ocsf.user.ldap_person.email_addrs | A list of additional email addresses for the user. | keyword | +| ocsf.user.ldap_person.employee_uid | The employee identifier assigned to the user by the organization. | keyword | +| ocsf.user.ldap_person.given_name | The given or first name of the user. | keyword | +| ocsf.user.ldap_person.hire_time | The timestamp when the user was or will be hired by the organization. | date | +| ocsf.user.ldap_person.hire_time_dt | The date when the user was or will be hired by the organization. | date | +| ocsf.user.ldap_person.job_title | The user's job title. | keyword | +| ocsf.user.ldap_person.labels | The labels associated with the user. For example in AD this could be the userType, employeeType. | keyword | +| ocsf.user.ldap_person.last_login_time | The last time when the user logged in. | date | +| ocsf.user.ldap_person.last_login_time_dt | The last date when the user logged in. | date | +| ocsf.user.ldap_person.ldap_cn | The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. | keyword | +| ocsf.user.ldap_person.ldap_dn | The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. | keyword | +| ocsf.user.ldap_person.leave_time | The timestamp when the user left or will be leaving the organization. | date | +| ocsf.user.ldap_person.leave_time_dt | The date when the user left or will be leaving the organization. | date | +| ocsf.user.ldap_person.location.city | The name of the city. | keyword | +| ocsf.user.ldap_person.location.continent | The name of the continent. | keyword | +| ocsf.user.ldap_person.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point | +| ocsf.user.ldap_person.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword | +| ocsf.user.ldap_person.location.desc | The description of the geographical location. | keyword | +| ocsf.user.ldap_person.location.is_on_premises | The indication of whether the location is on premises. | boolean | +| ocsf.user.ldap_person.location.isp | The name of the Internet Service Provider (ISP). | keyword | +| ocsf.user.ldap_person.location.postal_code | The postal code of the location. | keyword | +| ocsf.user.ldap_person.location.provider | The provider of the geographical location data. | keyword | +| ocsf.user.ldap_person.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | +| ocsf.user.ldap_person.manager.account.name | The name of the account (e.g. GCP Account Name). | keyword | +| ocsf.user.ldap_person.manager.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | +| ocsf.user.ldap_person.manager.account.type_id | The normalized account type identifier. | keyword | +| ocsf.user.ldap_person.manager.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | +| ocsf.user.ldap_person.manager.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | +| ocsf.user.ldap_person.manager.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | +| ocsf.user.ldap_person.manager.email_addr | The user's email address. | keyword | +| ocsf.user.ldap_person.manager.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | +| ocsf.user.ldap_person.manager.groups.desc | The group description. | keyword | +| ocsf.user.ldap_person.manager.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | +| ocsf.user.ldap_person.manager.groups.name | The group name. | keyword | +| ocsf.user.ldap_person.manager.groups.privileges | The group privileges. | keyword | +| ocsf.user.ldap_person.manager.groups.type | The type of the group or account. | keyword | +| ocsf.user.ldap_person.manager.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.user.ldap_person.manager.name | The username. For example, janedoe1. | keyword | +| ocsf.user.ldap_person.manager.org.\* | Organization and org unit related to the user. | object | +| ocsf.user.ldap_person.manager.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | +| ocsf.user.ldap_person.manager.type_id | The account type identifier. | keyword | +| ocsf.user.ldap_person.manager.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | +| ocsf.user.ldap_person.manager.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | +| ocsf.user.ldap_person.modified_time | The timestamp when the user entry was last modified. | date | +| ocsf.user.ldap_person.modified_time_dt | The date when the user entry was last modified. | date | +| ocsf.user.ldap_person.office_location | The primary office location associated with the user. This could be any string and isn't a specific address. | keyword | +| ocsf.user.ldap_person.surname | The last or family name for the user. | keyword | | ocsf.user.name | The username. For example, janedoe1. | keyword | -| ocsf.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.user.org.\* | Organization and org unit related to the user. | object | | ocsf.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.user.type_id | The account type identifier. | keyword | | ocsf.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1902,6 +2050,9 @@ This is the `Event` dataset. | ocsf.user_result.type_id | The account type identifier. | keyword | | ocsf.user_result.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.user_result.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | +| ocsf.verdict | The verdict assigned to an Incident finding. | keyword | +| ocsf.verdict_id | The normalized verdict of an Incident. | integer | +| ocsf.version | The version number of the NTP protocol. | keyword | | ocsf.vulnerabilities.cve.created_time | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date | | ocsf.vulnerabilities.cve.created_time_dt | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date | | ocsf.vulnerabilities.cve.cvss.base_score | The CVSS base score. For example: 9.1. | double | @@ -1912,13 +2063,15 @@ This is the `Event` dataset. | ocsf.vulnerabilities.cve.cvss.severity | The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. | keyword | | ocsf.vulnerabilities.cve.cvss.vector_string | The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. | keyword | | ocsf.vulnerabilities.cve.cvss.version | The CVSS version. For example: 3.1. | keyword | +| ocsf.vulnerabilities.cve.cwe | The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. | flattened | | ocsf.vulnerabilities.cve.cwe_uid | The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787. | keyword | | ocsf.vulnerabilities.cve.cwe_url | Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html. | keyword | +| ocsf.vulnerabilities.cve.desc | The description of the vulnerability. | keyword | +| ocsf.vulnerabilities.cve.epss | The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. | flattened | +| ocsf.vulnerabilities.cve.fix_available | Indicates if a fix is available for the reported vulnerability. | boolean | | ocsf.vulnerabilities.cve.modified_time | The Record Modified Date identifies when the CVE record was last updated. | date | | ocsf.vulnerabilities.cve.modified_time_dt | The Record Modified Date identifies when the CVE record was last updated. | date | -| ocsf.vulnerabilities.cve.product.feature.name | The name of the feature. | keyword | -| ocsf.vulnerabilities.cve.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.vulnerabilities.cve.product.feature.version | The version of the feature. | keyword | +| ocsf.vulnerabilities.cve.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.vulnerabilities.cve.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.vulnerabilities.cve.product.name | The name of the product. | keyword | | ocsf.vulnerabilities.cve.product.path | The installation path of the product. | keyword | @@ -1926,10 +2079,13 @@ This is the `Event` dataset. | ocsf.vulnerabilities.cve.product.url_string | The URL pointing towards the product. | keyword | | ocsf.vulnerabilities.cve.product.vendor_name | The name of the vendor of the product. | keyword | | ocsf.vulnerabilities.cve.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword | +| ocsf.vulnerabilities.cve.references | Supporting reference URLs. | keyword | +| ocsf.vulnerabilities.cve.title | The title of the cve. | keyword | | ocsf.vulnerabilities.cve.type | The vulnerability type as selected from a large dropdown menu during CVE refinement. | keyword | | ocsf.vulnerabilities.cve.uid | The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345. | keyword | -| ocsf.vulnerabilities.desc | The description of the vulnerability. | keyword | -| ocsf.vulnerabilities.fix_available | Indicates if a fix is available for the reported vulnerability. | boolean | +| ocsf.vulnerabilities.cwe.caption | The caption assigned to the Common Weakness Enumeration unique identifier. | keyword | +| ocsf.vulnerabilities.cwe.src_url | URL pointing to the CWE Specification. | keyword | +| ocsf.vulnerabilities.cwe.uid | The Common Weakness Enumeration unique number assigned to a specific weakness. | keyword | | ocsf.vulnerabilities.kb_articles | The KB article/s related to the entity. | keyword | | ocsf.vulnerabilities.packages.architecture | Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. | keyword | | ocsf.vulnerabilities.packages.epoch | The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. | long | diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json index 26f37d13c239..78b2c7d3c090 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- **[Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)** \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the behavior of applications and services.\n\nPlease visit the [Application Activity](https://schema.ocsf.io/1.0.0/categories/application) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- **[Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)** \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the behavior of applications and services.\n\nPlease visit the [Application Activity](https://schema.ocsf.io/1.1.0/categories/application) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json index 640aa6cc6f46..0af7bd6a9c53 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - **[DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386)** \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of DNS queries and answers as seen on the network.\n\nPlease visit the [DNS Activity](https://schema.ocsf.io/1.0.0/classes/dns_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - **[DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386)** \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of DNS queries and answers as seen on the network.\n\nPlease visit the [DNS Activity](https://schema.ocsf.io/1.1.0/classes/dns_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json index 252783b257e6..40810d7f0bd0 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - **[Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15)** \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of Network connections and traffic activity.\n\nPlease visit the [Network Activity](https://schema.ocsf.io/1.0.0/classes/network_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - **[Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15)** \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of Network connections and traffic activity.\n\nPlease visit the [Network Activity](https://schema.ocsf.io/1.1.0/classes/network_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json index 1c8940e9e13e..c8786042bd6b 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - **[Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112)** \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the Email and it's file and URL related activity on Network.\n\nPlease visit the [Email Activity](https://schema.ocsf.io/1.0.0/classes/email_activity), [Email File Activity](https://schema.ocsf.io/1.0.0/classes/email_file_activity) and [Email URL Activity](https://schema.ocsf.io/1.0.0/classes/email_url_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - **[Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112)** \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the Email and it's file and URL related activity on Network.\n\nPlease visit the [Email Activity](https://schema.ocsf.io/1.1.0/classes/email_activity), [Email File Activity](https://schema.ocsf.io/1.1.0/classes/email_file_activity) and [Email URL Activity](https://schema.ocsf.io/1.1.0/classes/email_url_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json index 29c8d9d7f5e7..ae34823c2765 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- **[Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d)** \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of Identity \u0026 Access Management (IAM) events relate to the supervision of the system's authentication and access control model.\n\nPlease visit the [Identity \u0026 Access Management](https://schema.ocsf.io/1.0.0/categories/iam) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- **[Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d)** \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of Identity \u0026 Access Management (IAM) events relate to the supervision of the system's authentication and access control model.\n\nPlease visit the [Identity \u0026 Access Management](https://schema.ocsf.io/1.1.0/categories/iam) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json index ff86ded51434..96229b2bb4ac 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - **[HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)** \n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of HTTP, RDP, DHCP, SMB, SSH, FTP and Network File related activity on the network.\n\nPlease visit the [HTTP](https://schema.ocsf.io/1.0.0/classes/http_activity), [DHCP](https://schema.ocsf.io/1.0.0/classes/dhcp_activity), [RDP](https://schema.ocsf.io/1.0.0/classes/rdp_activity), [SMB](https://schema.ocsf.io/1.0.0/classes/smb_activity), [SSH](https://schema.ocsf.io/1.0.0/classes/ssh_activity), [FTP](https://schema.ocsf.io/1.0.0/classes/ftp_activity), [Network File Activity](https://schema.ocsf.io/1.0.0/classes/network_file_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - **[HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)** \n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of HTTP, RDP, DHCP, SMB, SSH, FTP and Network File related activity on the network.\n\nPlease visit the [HTTP](https://schema.ocsf.io/1.1.0/classes/http_activity), [DHCP](https://schema.ocsf.io/1.1.0/classes/dhcp_activity), [RDP](https://schema.ocsf.io/1.1.0/classes/rdp_activity), [SMB](https://schema.ocsf.io/1.1.0/classes/smb_activity), [SSH](https://schema.ocsf.io/1.1.0/classes/ssh_activity), [FTP](https://schema.ocsf.io/1.1.0/classes/ftp_activity), [Network File Activity](https://schema.ocsf.io/1.1.0/classes/network_file_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json index 43a1bfee4156..a78d640b902c 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- **[System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112)** \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the process, memory, file, scheduled job and kernel related activity.\n\nPlease visit the [System Activity](https://schema.ocsf.io/1.0.0/categories/system) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- **[System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112)** \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the process, memory, file, scheduled job and kernel related activity.\n\nPlease visit the [System Activity](https://schema.ocsf.io/1.1.0/categories/system) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json index 20483d18ed6d..3567cfd7c294 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- **[Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112)** \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the device inventory data and device configuration data.\n\nPlease visit the [Discovery](https://schema.ocsf.io/1.0.0/categories/discovery) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- **[Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112)** \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the device inventory data and device configuration data.\n\nPlease visit the [Discovery](https://schema.ocsf.io/1.1.0/categories/discovery) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json index 435f1fd1abf2..ad394ef841b3 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- **[Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c)** \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of findings, detections, anomalies, alerts, and/or actions performed by security products.\n\nPlease visit the [Findings](https://schema.ocsf.io/1.0.0/categories/findings) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- **[Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c)** \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of findings, detections, anomalies, alerts, and/or actions performed by security products.\n\nPlease visit the [Findings](https://schema.ocsf.io/1.1.0/categories/findings) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json index 9db5a24f0746..d42628658559 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n**[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3)** \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of the most common data collected from the Amazon Security Lake Integration.\n\nPlease visit the [Base Event](https://schema.ocsf.io/1.0.0/base_event) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n**[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3)** \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of the most common data collected from the Amazon Security Lake Integration.\n\nPlease visit the [Base Event](https://schema.ocsf.io/1.1.0/base_event) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/manifest.yml b/packages/amazon_security_lake/manifest.yml index 5c3d3542857f..c8ab9b1cc655 100644 --- a/packages/amazon_security_lake/manifest.yml +++ b/packages/amazon_security_lake/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: amazon_security_lake title: Amazon Security Lake -version: "1.5.0" +version: "2.0.0" description: Collect logs from Amazon Security Lake with Elastic Agent. type: integration categories: ["aws", "security"]