Movatterモバイル変換

[0]ホーム
URL:

Loading
  1. Elastic Docs/
  2. Reference/
  3. Ingestion tools/
  4. Elastic integrations

Cylance integration

Version0.24.0 (View all)
Subscription level
What's this?		Basic
Ingestion method(s)File, Network Protocol
Minimum Kibana version(s)9.0.0
8.13.0

⚠️IMPORTANT

This package isdeprecated and is not supported for installation in Elastic Cloud Serverless.

This integration is forCylance logs. It includes the following datasets for receiving logs over syslog or read from a file:

  • protect dataset: supports CylanceProtect logs.

Theprotect dataset collects CylanceProtect logs.

Exported fields
FieldDescriptionType
@timestampDate/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.date
data_stream.datasetData stream dataset.constant_keyword
data_stream.namespaceData stream namespace.constant_keyword
data_stream.typeData stream type.constant_keyword
dns.question.domainServer domain.keyword
event.datasetEvent datasetconstant_keyword
event.moduleEvent moduleconstant_keyword
geo.city_nameCity name.keyword
geo.country_nameCountry name.keyword
geo.nameUser-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.keyword
geo.region_nameRegion name.keyword
input.typeType of Filebeat input.keyword
log.flagsFlags for the log file.keyword
log.offsetOffset of the entry in the log file.long
log.source.addressSource address from which the log event was read / sent from.keyword
network.interface.namekeyword
rsa.counters.dclass_c1This is a generic counter key that should be used with the label dclass.c1.str onlylong
rsa.counters.dclass_c1_strThis is a generic counter string key that should be used with the label dclass.c1 onlykeyword
rsa.counters.dclass_c2This is a generic counter key that should be used with the label dclass.c2.str onlylong
rsa.counters.dclass_c2_strThis is a generic counter string key that should be used with the label dclass.c2 onlykeyword
rsa.counters.dclass_c3This is a generic counter key that should be used with the label dclass.c3.str onlylong
rsa.counters.dclass_c3_strThis is a generic counter string key that should be used with the label dclass.c3 onlykeyword
rsa.counters.dclass_r1This is a generic ratio key that should be used with the label dclass.r1.str onlykeyword
rsa.counters.dclass_r1_strThis is a generic ratio string key that should be used with the label dclass.r1 onlykeyword
rsa.counters.dclass_r2This is a generic ratio key that should be used with the label dclass.r2.str onlykeyword
rsa.counters.dclass_r2_strThis is a generic ratio string key that should be used with the label dclass.r2 onlykeyword
rsa.counters.dclass_r3This is a generic ratio key that should be used with the label dclass.r3.str onlykeyword
rsa.counters.dclass_r3_strThis is a generic ratio string key that should be used with the label dclass.r3 onlykeyword
rsa.counters.event_counterThis is used to capture the number of times an event repeatedlong
rsa.crypto.cert_caThis key is used to capture the Certificate signing authority onlykeyword
rsa.crypto.cert_checksumkeyword
rsa.crypto.cert_commonThis key is used to capture the Certificate common name onlykeyword
rsa.crypto.cert_errorThis key captures the Certificate Error Stringkeyword
rsa.crypto.cert_host_catThis key is used for the hostname category value of a certificatekeyword
rsa.crypto.cert_host_nameDeprecated key defined only in table map.keyword
rsa.crypto.cert_issuerkeyword
rsa.crypto.cert_keysizekeyword
rsa.crypto.cert_serialThis key is used to capture the Certificate serial number onlykeyword
rsa.crypto.cert_statusThis key captures Certificate validation statuskeyword
rsa.crypto.cert_subjectThis key is used to capture the Certificate organization onlykeyword
rsa.crypto.cert_usernamekeyword
rsa.crypto.cipher_dstThis key is for Destination (Server) Cipherkeyword
rsa.crypto.cipher_size_dstThis key captures Destination (Server) Cipher Sizelong
rsa.crypto.cipher_size_srcThis key captures Source (Client) Cipher Sizelong
rsa.crypto.cipher_srcThis key is for Source (Client) Cipherkeyword
rsa.crypto.cryptoThis key is used to capture the Encryption Type or Encryption Key onlykeyword
rsa.crypto.d_certauthkeyword
rsa.crypto.https_insactkeyword
rsa.crypto.https_validkeyword
rsa.crypto.ikeIKE negotiation phase.keyword
rsa.crypto.ike_cookie1ID of the negotiation — sent for ISAKMP Phase Onekeyword
rsa.crypto.ike_cookie2ID of the negotiation — sent for ISAKMP Phase Twokeyword
rsa.crypto.peerThis key is for Encryption peer's IP Addresskeyword
rsa.crypto.peer_idThis key is for Encryption peer’s identitykeyword
rsa.crypto.s_certauthkeyword
rsa.crypto.schemeThis key captures the Encryption scheme usedkeyword
rsa.crypto.sig_typeThis key captures the Signature Typekeyword
rsa.crypto.ssl_ver_dstDeprecated, use versionkeyword
rsa.crypto.ssl_ver_srcDeprecated, use versionkeyword
rsa.db.databaseThis key is used to capture the name of a database or an instance as seen in a sessionkeyword
rsa.db.db_idThis key is used to capture the unique identifier for a databasekeyword
rsa.db.db_pidThis key captures the process id of a connection with database serverlong
rsa.db.indexThis key captures IndexID of the index.keyword
rsa.db.instanceThis key is used to capture the database server instance namekeyword
rsa.db.lreadThis key is used for the number of logical readslong
rsa.db.lwriteThis key is used for the number of logical writeslong
rsa.db.permissionsThis key captures permission or privilege level assigned to a resource.keyword
rsa.db.preadThis key is used for the number of physical writeslong
rsa.db.table_nameThis key is used to capture the table namekeyword
rsa.db.transact_idThis key captures the SQL transantion ID of the current sessionkeyword
rsa.email.emailThis key is used to capture a generic email address where the source or destination context is not clearkeyword
rsa.email.email_dstThis key is used to capture the Destination email address only, when the destination context is not clear use emailkeyword
rsa.email.email_srcThis key is used to capture the source email address only, when the source context is not clear use emailkeyword
rsa.email.subjectThis key is used to capture the subject string from an Email only.keyword
rsa.email.trans_fromDeprecated key defined only in table map.keyword
rsa.email.trans_toDeprecated key defined only in table map.keyword
rsa.endpoint.host_stateThis key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so onkeyword
rsa.endpoint.registry_keyThis key captures the path to the registry keykeyword
rsa.endpoint.registry_valueThis key captures values or decorators used within a registry entrykeyword
rsa.file.attachmentThis key captures the attachment file namekeyword
rsa.file.binaryDeprecated key defined only in table map.keyword
rsa.file.directory_dst<span>This key is used to capture the directory of the target process or file</span>keyword
rsa.file.directory_srcThis key is used to capture the directory of the source process or filekeyword
rsa.file.file_entropyThis is used to capture entropy vale of a filedouble
rsa.file.file_vendorThis is used to capture Company name of file located in version_infokeyword
rsa.file.filename_dstThis is used to capture name of the file targeted by the actionkeyword
rsa.file.filename_srcThis is used to capture name of the parent filename, the file which performed the actionkeyword
rsa.file.filename_tmpkeyword
rsa.file.filesystemkeyword
rsa.file.privilegeDeprecated, use permissionskeyword
rsa.file.task_nameThis is used to capture name of the taskkeyword
rsa.healthcare.patient_fnameThis key is for First Names only, this is used for Healthcare predominantly to capture Patients informationkeyword
rsa.healthcare.patient_idThis key captures the unique ID for a patientkeyword
rsa.healthcare.patient_lnameThis key is for Last Names only, this is used for Healthcare predominantly to capture Patients informationkeyword
rsa.healthcare.patient_mnameThis key is for Middle Names only, this is used for Healthcare predominantly to capture Patients informationkeyword
rsa.identity.accessesThis key is used to capture actual privileges used in accessing an objectkeyword
rsa.identity.auth_methodThis key is used to capture authentication methods used onlykeyword
rsa.identity.dnX.500 (LDAP) Distinguished Namekeyword
rsa.identity.dn_dstAn X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dnkeyword
rsa.identity.dn_srcAn X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dnkeyword
rsa.identity.federated_idpThis key is the federated Identity Provider. This is the server providing the authentication.keyword
rsa.identity.federated_spThis key is the Federated Service Provider. This is the application requesting authentication.keyword
rsa.identity.firstnameThis key is for First Names only, this is used for Healthcare predominantly to capture Patients informationkeyword
rsa.identity.host_roleThis key should only be used to capture the role of a Host Machinekeyword
rsa.identity.lastnameThis key is for Last Names only, this is used for Healthcare predominantly to capture Patients informationkeyword
rsa.identity.ldapThis key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response contextkeyword
rsa.identity.ldap_queryThis key is the Search criteria from an LDAP searchkeyword
rsa.identity.ldap_responseThis key is to capture Results from an LDAP searchkeyword
rsa.identity.logon_typeThis key is used to capture the type of logon method used.keyword
rsa.identity.logon_type_descThis key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.keyword
rsa.identity.middlenameThis key is for Middle Names only, this is used for Healthcare predominantly to capture Patients informationkeyword
rsa.identity.orgThis key captures the User organizationkeyword
rsa.identity.ownerThis is used to capture username the process or service is running as, the author of the taskkeyword
rsa.identity.passwordThis key is for Passwords seen in any session, plain text or encryptedkeyword
rsa.identity.profileThis key is used to capture the user profilekeyword
rsa.identity.realmRadius realm or similar grouping of accountskeyword
rsa.identity.service_accountThis key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usagekeyword
rsa.identity.user_deptUser's Department Names onlykeyword
rsa.identity.user_roleThis key is used to capture the Role of a user onlykeyword
rsa.identity.user_sid_dstThis key captures Destination User Session IDkeyword
rsa.identity.user_sid_srcThis key captures Source User Session IDkeyword
rsa.internal.audit_classDeprecated key defined only in table map.keyword
rsa.internal.cidThis is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.dataDeprecated key defined only in table map.keyword
rsa.internal.deadDeprecated key defined only in table map.long
rsa.internal.device_classThis is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.device_groupThis key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.device_hostThis is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.device_ipThis is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnessip
rsa.internal.device_ipv6This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnessip
rsa.internal.device_typeThis is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.device_type_idDeprecated key defined only in table map.long
rsa.internal.didThis is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.entropy_reqThis key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configurationlong
rsa.internal.entropy_resThis key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configurationlong
rsa.internal.entryDeprecated key defined only in table map.keyword
rsa.internal.event_desckeyword
rsa.internal.event_nameDeprecated key defined only in table map.keyword
rsa.internal.feed_categoryThis is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.feed_descThis is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.feed_nameThis is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.forward_ipThis key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.ip
rsa.internal.forward_ipv6This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnessip
rsa.internal.hcodeDeprecated key defined only in table map.keyword
rsa.internal.header_idThis is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.inodeDeprecated key defined only in table map.long
rsa.internal.lc_cidThis is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.lc_ctimeThis is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnessdate
rsa.internal.levelDeprecated key defined only in table map.long
rsa.internal.mcb_reqThis key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the mostlong
rsa.internal.mcb_resThis key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the mostlong
rsa.internal.mcbc_reqThis key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streamslong
rsa.internal.mcbc_resThis key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streamslong
rsa.internal.mediumThis key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet sessionlong
rsa.internal.messageThis key captures the contents of instant messageskeyword
rsa.internal.messageidkeyword
rsa.internal.msgThis key is used to capture the raw message that comes into the Log Decoderkeyword
rsa.internal.msg_idThis is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.msg_vidThis is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.node_nameDeprecated key defined only in table map.keyword
rsa.internal.nwe_callback_idThis key denotes that event is endpoint relatedkeyword
rsa.internal.obj_idDeprecated key defined only in table map.keyword
rsa.internal.obj_serverDeprecated key defined only in table map.keyword
rsa.internal.obj_valDeprecated key defined only in table map.keyword
rsa.internal.parse_errorThis is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.payload_reqThis key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keeplong
rsa.internal.payload_resThis key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keeplong
rsa.internal.process_vid_dstEndpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.keyword
rsa.internal.process_vid_srcEndpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.keyword
rsa.internal.resourceDeprecated key defined only in table map.keyword
rsa.internal.resource_classDeprecated key defined only in table map.keyword
rsa.internal.ridThis is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesslong
rsa.internal.session_splitThis key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.siteDeprecated key defined only in table map.keyword
rsa.internal.sizeThis is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesslong
rsa.internal.sourcefileThis is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.internal.statementDeprecated key defined only in table map.keyword
rsa.internal.timeThis is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.date
rsa.internal.ubc_reqThis key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least oncelong
rsa.internal.ubc_resThis key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least oncelong
rsa.internal.wordThis is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed logkeyword
rsa.investigations.analysis_fileThis is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a filekeyword
rsa.investigations.analysis_serviceThis is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a servicekeyword
rsa.investigations.analysis_sessionThis is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a sessionkeyword
rsa.investigations.bocThis is used to capture behaviour of compromisekeyword
rsa.investigations.ec_activityThis key captures the particular event activity(Ex:Logoff)keyword
rsa.investigations.ec_outcomeThis key captures the outcome of a particular Event(Ex:Success)keyword
rsa.investigations.ec_subjectThis key captures the Subject of a particular Event(Ex:User)keyword
rsa.investigations.ec_themeThis key captures the Theme of a particular Event(Ex:Authentication)keyword
rsa.investigations.eocThis is used to capture Enablers of Compromisekeyword
rsa.investigations.event_catThis key captures the Event category numberlong
rsa.investigations.event_cat_nameThis key captures the event category name corresponding to the event cat codekeyword
rsa.investigations.event_vcatThis is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.keyword
rsa.investigations.inv_categoryThis used to capture investigation categorykeyword
rsa.investigations.inv_contextThis used to capture investigation contextkeyword
rsa.investigations.iocThis is key capture indicator of compromisekeyword
rsa.misc.OSThis key captures the Name of the Operating Systemkeyword
rsa.misc.acl_idkeyword
rsa.misc.acl_opkeyword
rsa.misc.acl_poskeyword
rsa.misc.acl_tablekeyword
rsa.misc.actionkeyword
rsa.misc.adminkeyword
rsa.misc.agent_idThis key is used to capture agent idkeyword
rsa.misc.alarm_idkeyword
rsa.misc.alarmnamekeyword
rsa.misc.alert_idDeprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)keyword
rsa.misc.app_idkeyword
rsa.misc.auditkeyword
rsa.misc.audit_objectkeyword
rsa.misc.auditdatakeyword
rsa.misc.autorun_typeThis is used to capture Auto Run typekeyword
rsa.misc.benchmarkkeyword
rsa.misc.bypasskeyword
rsa.misc.cachekeyword
rsa.misc.cache_hitkeyword
rsa.misc.categoryThis key is used to capture the category of an event given by the vendor in the sessionkeyword
rsa.misc.cc_numberValid Credit Card Numbers onlylong
rsa.misc.cefversionkeyword
rsa.misc.cfg_attrkeyword
rsa.misc.cfg_objkeyword
rsa.misc.cfg_pathkeyword
rsa.misc.change_attribThis key is used to capture the name of the attribute that’s changing in a sessionkeyword
rsa.misc.change_newThis key is used to capture the new values of the attribute that’s changing in a sessionkeyword
rsa.misc.change_oldThis key is used to capture the old value of the attribute that’s changing in a sessionkeyword
rsa.misc.changeskeyword
rsa.misc.checksumThis key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.keyword
rsa.misc.checksum_dstThis key is used to capture the checksum or hash of the the target entity such as a process or file.keyword
rsa.misc.checksum_srcThis key is used to capture the checksum or hash of the source entity such as a file or process.keyword
rsa.misc.clientThis key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.keyword
rsa.misc.client_ipkeyword
rsa.misc.clustermemberskeyword
rsa.misc.cmdkeyword
rsa.misc.cn_acttimeoutkeyword
rsa.misc.cn_asn_srckeyword
rsa.misc.cn_bgpv4nxthopkeyword
rsa.misc.cn_ctr_dst_codekeyword
rsa.misc.cn_dst_toskeyword
rsa.misc.cn_dst_vlankeyword
rsa.misc.cn_engine_idkeyword
rsa.misc.cn_engine_typekeyword
rsa.misc.cn_f_switchkeyword
rsa.misc.cn_flowsampidkeyword
rsa.misc.cn_flowsampintvkeyword
rsa.misc.cn_flowsampmodekeyword
rsa.misc.cn_inacttimeoutkeyword
rsa.misc.cn_inpermbytskeyword
rsa.misc.cn_inpermpcktskeyword
rsa.misc.cn_invalidkeyword
rsa.misc.cn_ip_proto_verkeyword
rsa.misc.cn_ipv4_identkeyword
rsa.misc.cn_l_switchkeyword
rsa.misc.cn_log_didkeyword
rsa.misc.cn_log_ridkeyword
rsa.misc.cn_max_ttlkeyword
rsa.misc.cn_maxpcktlenkeyword
rsa.misc.cn_min_ttlkeyword
rsa.misc.cn_minpcktlenkeyword
rsa.misc.cn_mpls_lbl_1keyword
rsa.misc.cn_mpls_lbl_10keyword
rsa.misc.cn_mpls_lbl_2keyword
rsa.misc.cn_mpls_lbl_3keyword
rsa.misc.cn_mpls_lbl_4keyword
rsa.misc.cn_mpls_lbl_5keyword
rsa.misc.cn_mpls_lbl_6keyword
rsa.misc.cn_mpls_lbl_7keyword
rsa.misc.cn_mpls_lbl_8keyword
rsa.misc.cn_mpls_lbl_9keyword
rsa.misc.cn_mplstoplabelkeyword
rsa.misc.cn_mplstoplabipkeyword
rsa.misc.cn_mul_dst_bytkeyword
rsa.misc.cn_mul_dst_pkskeyword
rsa.misc.cn_muligmptypekeyword
rsa.misc.cn_sampalgokeyword
rsa.misc.cn_sampintkeyword
rsa.misc.cn_seqctrkeyword
rsa.misc.cn_spacketskeyword
rsa.misc.cn_src_toskeyword
rsa.misc.cn_src_vlankeyword
rsa.misc.cn_sysuptimekeyword
rsa.misc.cn_template_idkeyword
rsa.misc.cn_totbytsexpkeyword
rsa.misc.cn_totflowexpkeyword
rsa.misc.cn_totpcktsexpkeyword
rsa.misc.cn_unixnanosecskeyword
rsa.misc.cn_v6flowlabelkeyword
rsa.misc.cn_v6optheaderskeyword
rsa.misc.codekeyword
rsa.misc.commandkeyword
rsa.misc.commentsComment information provided in the log messagekeyword
rsa.misc.comp_classkeyword
rsa.misc.comp_namekeyword
rsa.misc.comp_rbyteskeyword
rsa.misc.comp_sbyteskeyword
rsa.misc.comp_versionThis key captures the Version level of a sub-component of a product.keyword
rsa.misc.connection_idThis key captures the Connection IDkeyword
rsa.misc.contentThis key captures the content type from protocol headerskeyword
rsa.misc.content_typeThis key is used to capture Content Type only.keyword
rsa.misc.content_versionThis key captures Version level of a signature or database content.keyword
rsa.misc.contextThis key captures Information which adds additional context to the event.keyword
rsa.misc.context_subjectThis key is to be used in an audit context where the subject is the object being identifiedkeyword
rsa.misc.context_targetkeyword
rsa.misc.countkeyword
rsa.misc.cpuThis key is the CPU time used in the execution of the event being recorded.long
rsa.misc.cpu_datakeyword
rsa.misc.criticalitykeyword
rsa.misc.cs_agency_dstkeyword
rsa.misc.cs_analyzedbykeyword
rsa.misc.cs_av_otherkeyword
rsa.misc.cs_av_primarykeyword
rsa.misc.cs_av_secondarykeyword
rsa.misc.cs_bgpv6nxthopkeyword
rsa.misc.cs_bit9statuskeyword
rsa.misc.cs_contextkeyword
rsa.misc.cs_controlkeyword
rsa.misc.cs_datakeyword
rsa.misc.cs_datecretkeyword
rsa.misc.cs_dst_tldkeyword
rsa.misc.cs_eth_dst_venkeyword
rsa.misc.cs_eth_src_venkeyword
rsa.misc.cs_event_uuidkeyword
rsa.misc.cs_filetypekeyword
rsa.misc.cs_fldkeyword
rsa.misc.cs_if_desckeyword
rsa.misc.cs_if_namekeyword
rsa.misc.cs_ip_next_hopkeyword
rsa.misc.cs_ipv4dstprekeyword
rsa.misc.cs_ipv4srcprekeyword
rsa.misc.cs_lifetimekeyword
rsa.misc.cs_log_mediumkeyword
rsa.misc.cs_loginnamekeyword
rsa.misc.cs_modulescorekeyword
rsa.misc.cs_modulesignkeyword
rsa.misc.cs_opswatresultkeyword
rsa.misc.cs_payloadkeyword
rsa.misc.cs_registrantkeyword
rsa.misc.cs_registrarkeyword
rsa.misc.cs_represultkeyword
rsa.misc.cs_rpayloadkeyword
rsa.misc.cs_sampler_namekeyword
rsa.misc.cs_sourcemodulekeyword
rsa.misc.cs_streamskeyword
rsa.misc.cs_targetmodulekeyword
rsa.misc.cs_v6nxthopkeyword
rsa.misc.cs_whois_serverkeyword
rsa.misc.cs_yararesultkeyword
rsa.misc.cveThis key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.keyword
rsa.misc.data_typekeyword
rsa.misc.descriptionkeyword
rsa.misc.device_nameThis is used to capture name of the Device associated with the node Like: a physical disk, printer, etckeyword
rsa.misc.devvendorkeyword
rsa.misc.dispositionThis key captures the The end state of an action.keyword
rsa.misc.distancekeyword
rsa.misc.doc_numberThis key captures File Identification numberlong
rsa.misc.dstburbkeyword
rsa.misc.edomainkeyword
rsa.misc.edomaubkeyword
rsa.misc.ein_numberEmployee Identification Numbers onlylong
rsa.misc.errorThis key captures All non successful Error codes or responseskeyword
rsa.misc.euidkeyword
rsa.misc.event_categorykeyword
rsa.misc.event_computerThis key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.keyword
rsa.misc.event_descThis key is used to capture a description of an event available directly or inferredkeyword
rsa.misc.event_idkeyword
rsa.misc.event_logThis key captures the Name of the event logkeyword
rsa.misc.event_sourceThis key captures Source of the event that’s not a hostnamekeyword
rsa.misc.event_stateThis key captures the current state of the object/item referenced within the event. Describing an on-going event.keyword
rsa.misc.event_typeThis key captures the event category type as specified by the event source.keyword
rsa.misc.event_userThis key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.keyword
rsa.misc.expected_valThis key captures the Value expected (from the perspective of the device generating the log).keyword
rsa.misc.facilitykeyword
rsa.misc.facilitynamekeyword
rsa.misc.fcatnumThis key captures Filter Category Number. Legacy Usagekeyword
rsa.misc.filterThis key captures Filter used to reduce result setkeyword
rsa.misc.finterfacekeyword
rsa.misc.flagskeyword
rsa.misc.forensic_infokeyword
rsa.misc.foundThis is used to capture the results of regex matchkeyword
rsa.misc.fresultThis key captures the Filter Resultlong
rsa.misc.gaddrkeyword
rsa.misc.groupThis key captures the Group Name valuekeyword
rsa.misc.group_idThis key captures Group ID Number (related to the group name)keyword
rsa.misc.group_objectThis key captures a collection/grouping of entities. Specific usagekeyword
rsa.misc.hardware_idThis key is used to capture unique identifier for a device or system (NOT a Mac address)keyword
rsa.misc.id3keyword
rsa.misc.im_buddyidkeyword
rsa.misc.im_buddynamekeyword
rsa.misc.im_clientkeyword
rsa.misc.im_croomidkeyword
rsa.misc.im_croomtypekeyword
rsa.misc.im_memberskeyword
rsa.misc.im_useridkeyword
rsa.misc.im_usernamekeyword
rsa.misc.indexkeyword
rsa.misc.inoutkeyword
rsa.misc.ipktkeyword
rsa.misc.ipscatkeyword
rsa.misc.ipsprikeyword
rsa.misc.job_numThis key captures the Job Numberkeyword
rsa.misc.jobnamekeyword
rsa.misc.languageThis is used to capture list of languages the client support and what it preferskeyword
rsa.misc.latitudekeyword
rsa.misc.libraryThis key is used to capture library information in mainframe deviceskeyword
rsa.misc.lifetimeThis key is used to capture the session lifetime in seconds.long
rsa.misc.linenumkeyword
rsa.misc.linkThis key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitnesskeyword
rsa.misc.list_namekeyword
rsa.misc.listnumThis key is used to capture listname or listnumber, primarily for collecting access-listkeyword
rsa.misc.load_datakeyword
rsa.misc.location_floorkeyword
rsa.misc.location_markkeyword
rsa.misc.log_idkeyword
rsa.misc.log_session_idThis key is used to capture a sessionid from the session directlykeyword
rsa.misc.log_session_id1This key is used to capture a Linked (Related) Session ID from the session directlykeyword
rsa.misc.log_typekeyword
rsa.misc.logidkeyword
rsa.misc.logipkeyword
rsa.misc.lognamekeyword
rsa.misc.longitudekeyword
rsa.misc.lportkeyword
rsa.misc.mail_idThis key is used to capture the mailbox id/namekeyword
rsa.misc.matchThis key is for regex match name from search.inikeyword
rsa.misc.mbug_datakeyword
rsa.misc.message_bodyThis key captures the The contents of the message body.keyword
rsa.misc.misckeyword
rsa.misc.misc_namekeyword
rsa.misc.modekeyword
rsa.misc.msgIdPart1keyword
rsa.misc.msgIdPart2keyword
rsa.misc.msgIdPart3keyword
rsa.misc.msgIdPart4keyword
rsa.misc.msg_typekeyword
rsa.misc.msgidkeyword
rsa.misc.namekeyword
rsa.misc.netsessidkeyword
rsa.misc.nodeCommon use case is the node name within a cluster. The cluster name is reflected by the host name.keyword
rsa.misc.ntypekeyword
rsa.misc.numkeyword
rsa.misc.numberkeyword
rsa.misc.number1keyword
rsa.misc.number2keyword
rsa.misc.nwwnkeyword
rsa.misc.obj_nameThis is used to capture name of objectkeyword
rsa.misc.obj_typeThis is used to capture type of objectkeyword
rsa.misc.objectkeyword
rsa.misc.observed_valThis key captures the Value observed (from the perspective of the device generating the log).keyword
rsa.misc.operationkeyword
rsa.misc.operation_idAn alert number or operation number. The values should be unique and non-repeating.keyword
rsa.misc.opktkeyword
rsa.misc.orig_fromkeyword
rsa.misc.owner_idkeyword
rsa.misc.p_actionkeyword
rsa.misc.p_filterkeyword
rsa.misc.p_group_objectkeyword
rsa.misc.p_idkeyword
rsa.misc.p_msgidkeyword
rsa.misc.p_msgid1keyword
rsa.misc.p_msgid2keyword
rsa.misc.p_result1keyword
rsa.misc.paramThis key is the parameters passed as part of a command or application, etc.keyword
rsa.misc.param_dstThis key captures the command line/launch argument of the target process or filekeyword
rsa.misc.param_srcThis key captures source parameterkeyword
rsa.misc.parent_nodeThis key captures the Parent Node Name. Must be related to node variable.keyword
rsa.misc.password_chgkeyword
rsa.misc.password_expirekeyword
rsa.misc.payload_dstThis key is used to capture destination payloadkeyword
rsa.misc.payload_srcThis key is used to capture source payloadkeyword
rsa.misc.permgrantedkeyword
rsa.misc.permwantedkeyword
rsa.misc.pgidkeyword
rsa.misc.phonekeyword
rsa.misc.pidkeyword
rsa.misc.policykeyword
rsa.misc.policyUUIDkeyword
rsa.misc.policy_idThis key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwisekeyword
rsa.misc.policy_nameThis key is used to capture the Policy Name only.keyword
rsa.misc.policy_valueThis key captures the contents of the policy. This contains details about the policykeyword
rsa.misc.policy_waiverkeyword
rsa.misc.pool_idThis key captures the identifier (typically numeric field) of a resource poolkeyword
rsa.misc.pool_nameThis key captures the name of a resource poolkeyword
rsa.misc.port_nameThis key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).keyword
rsa.misc.prioritykeyword
rsa.misc.process_id_valThis key is a failure key for Process ID when it is not an integer valuekeyword
rsa.misc.prog_asp_numkeyword
rsa.misc.programkeyword
rsa.misc.real_datakeyword
rsa.misc.reasonkeyword
rsa.misc.rec_asp_devicekeyword
rsa.misc.rec_asp_numkeyword
rsa.misc.rec_librarykeyword
rsa.misc.recordnumkeyword
rsa.misc.reference_idThis key is used to capture an event id from the session directlykeyword
rsa.misc.reference_id1This key is for Linked ID to be used as an addition to "reference.id"keyword
rsa.misc.reference_id2This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.keyword
rsa.misc.resultThis key is used to capture the outcome/result string value of an action in a session.keyword
rsa.misc.result_codeThis key is used to capture the outcome/result numeric value of an action in a sessionkeyword
rsa.misc.riskThis key captures the non-numeric risk valuekeyword
rsa.misc.risk_infoDeprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)keyword
rsa.misc.risk_numThis key captures a Numeric Risk valuedouble
rsa.misc.risk_num_commThis key captures Risk Number Communitydouble
rsa.misc.risk_num_nextThis key captures Risk Number NextGendouble
rsa.misc.risk_num_sandThis key captures Risk Number SandBoxdouble
rsa.misc.risk_num_staticThis key captures Risk Number Staticdouble
rsa.misc.risk_suspiciousDeprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)keyword
rsa.misc.risk_warningDeprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)keyword
rsa.misc.ruidkeyword
rsa.misc.ruleThis key captures the Rule numberkeyword
rsa.misc.rule_groupThis key captures the Rule group namekeyword
rsa.misc.rule_nameThis key captures the Rule Namekeyword
rsa.misc.rule_templateA default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a templatekeyword
rsa.misc.rule_uidThis key is the Unique Identifier for a rule.keyword
rsa.misc.sburbkeyword
rsa.misc.sdomain_fldkeyword
rsa.misc.search_textThis key captures the Search Text usedkeyword
rsa.misc.seckeyword
rsa.misc.secondkeyword
rsa.misc.sensorThis key captures Name of the sensor. Typically used in IDS/IPS based deviceskeyword
rsa.misc.sensornamekeyword
rsa.misc.seqnumkeyword
rsa.misc.serial_numberThis key is the Serial number associated with a physical asset.keyword
rsa.misc.sessionkeyword
rsa.misc.sessiontypekeyword
rsa.misc.severityThis key is used to capture the severity given the sessionkeyword
rsa.misc.sigUUIDkeyword
rsa.misc.sig_idThis key captures IDS/IPS Int Signature IDlong
rsa.misc.sig_id1This key captures IDS/IPS Int Signature ID. This must be linked to the sig.idlong
rsa.misc.sig_id_strThis key captures a string object of the sigid variable.keyword
rsa.misc.sig_nameThis key is used to capture the Signature Name only.keyword
rsa.misc.sigcatkeyword
rsa.misc.snmp_oidSNMP Object Identifierkeyword
rsa.misc.snmp_valueSNMP set request valuekeyword
rsa.misc.spacekeyword
rsa.misc.space1keyword
rsa.misc.spikeyword
rsa.misc.spi_dstDestination SPI Indexkeyword
rsa.misc.spi_srcSource SPI Indexkeyword
rsa.misc.sqlThis key captures the SQL querykeyword
rsa.misc.srcburbkeyword
rsa.misc.srcdomkeyword
rsa.misc.srcservicekeyword
rsa.misc.statekeyword
rsa.misc.statuskeyword
rsa.misc.status1keyword
rsa.misc.streamsThis key captures number of streams in sessionlong
rsa.misc.subcategorykeyword
rsa.misc.svcnokeyword
rsa.misc.systemkeyword
rsa.misc.tbdstr1keyword
rsa.misc.tbdstr2keyword
rsa.misc.tcp_flagsThis key is captures the TCP flags set in any packet of sessionlong
rsa.misc.terminalThis key captures the Terminal Names onlykeyword
rsa.misc.tgtdomkeyword
rsa.misc.tgtdomainkeyword
rsa.misc.thresholdkeyword
rsa.misc.tosThis key describes the type of servicelong
rsa.misc.trigger_descThis key captures the Description of the trigger or threshold condition.keyword
rsa.misc.trigger_valThis key captures the Value of the trigger or threshold condition.keyword
rsa.misc.typekeyword
rsa.misc.type1keyword
rsa.misc.udb_classkeyword
rsa.misc.url_fldkeyword
rsa.misc.user_divkeyword
rsa.misc.useridkeyword
rsa.misc.username_fldkeyword
rsa.misc.utcstampkeyword
rsa.misc.v_instafnamekeyword
rsa.misc.versionThis key captures Version of the application or OS which is generating the event.keyword
rsa.misc.virt_datakeyword
rsa.misc.virusnameThis key captures the name of the viruskeyword
rsa.misc.vm_targetVMWare Target **VMWARE** only varaible.keyword
rsa.misc.vpnidkeyword
rsa.misc.vsysThis key captures Virtual System Namekeyword
rsa.misc.vuln_refThis key captures the Vulnerability Reference detailskeyword
rsa.misc.workspaceThis key captures Workspace Descriptionkeyword
rsa.network.ad_computer_dstDeprecated, use host.dstkeyword
rsa.network.addrkeyword
rsa.network.alias_hostThis key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.keyword
rsa.network.dinterfaceThis key should only be used when it’s a Destination Interfacekeyword
rsa.network.dmaskThis key is used for Destionation Device network maskkeyword
rsa.network.dns_a_recordkeyword
rsa.network.dns_cname_recordkeyword
rsa.network.dns_idkeyword
rsa.network.dns_opcodekeyword
rsa.network.dns_ptr_recordkeyword
rsa.network.dns_respkeyword
rsa.network.dns_typekeyword
rsa.network.domainkeyword
rsa.network.domain1keyword
rsa.network.eth_hostDeprecated, use alias.mackeyword
rsa.network.eth_typeThis key is used to capture Ethernet Type, Used for Layer 3 Protocols Onlylong
rsa.network.faddrkeyword
rsa.network.fhostkeyword
rsa.network.fportkeyword
rsa.network.gatewayThis key is used to capture the IP Address of the gatewaykeyword
rsa.network.host_dstThis key should only be used when it’s a Destination Hostnamekeyword
rsa.network.host_origThis is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.keyword
rsa.network.host_typekeyword
rsa.network.icmp_codeThis key is used to capture the ICMP code onlylong
rsa.network.icmp_typeThis key is used to capture the ICMP type onlylong
rsa.network.interfaceThis key should be used when the source or destination context of an interface is not clearkeyword
rsa.network.ip_protoThis key should be used to capture the Protocol number, all the protocol nubers are converted into string in UIlong
rsa.network.laddrkeyword
rsa.network.lhostkeyword
rsa.network.linterfacekeyword
rsa.network.maskThis key is used to capture the device network IPmask.keyword
rsa.network.netnameThis key is used to capture the network name associated with an IP range. This is configured by the end user.keyword
rsa.network.network_portDeprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)long
rsa.network.network_serviceThis is used to capture layer 7 protocols/service nameskeyword
rsa.network.originkeyword
rsa.network.packet_lengthkeyword
rsa.network.paddrDeprecatedip
rsa.network.phostkeyword
rsa.network.portThis key should only be used to capture a Network Port when the directionality is not clearlong
rsa.network.protocol_detailThis key should be used to capture additional protocol informationkeyword
rsa.network.remote_domain_idkeyword
rsa.network.rpayloadThis key is used to capture the total number of payload bytes seen in the retransmitted packets.keyword
rsa.network.sinterfaceThis key should only be used when it’s a Source Interfacekeyword
rsa.network.smaskThis key is used for capturing source Network Maskkeyword
rsa.network.vlanThis key should only be used to capture the ID of the Virtual LANlong
rsa.network.vlan_nameThis key should only be used to capture the name of the Virtual LANkeyword
rsa.network.zoneThis key should be used when the source or destination context of a Zone is not clearkeyword
rsa.network.zone_dstThis key should only be used when it’s a Destination Zone.keyword
rsa.network.zone_srcThis key should only be used when it’s a Source Zone.keyword
rsa.physical.org_dstThis is used to capture the destination organization based on the GEOPIP Maxmind database.keyword
rsa.physical.org_srcThis is used to capture the source organization based on the GEOPIP Maxmind database.keyword
rsa.storage.disk_volumeA unique name assigned to logical units (volumes) within a physical diskkeyword
rsa.storage.lunLogical Unit Number.This key is a very useful concept in Storage.keyword
rsa.storage.pwwnThis uniquely identifies a port on a HBA.keyword
rsa.threat.alertThis key is used to capture name of the alertkeyword
rsa.threat.threat_categoryThis key captures Threat Name/Threat Category/Categorization of alertkeyword
rsa.threat.threat_descThis key is used to capture the threat description from the session directly or inferredkeyword
rsa.threat.threat_sourceThis key is used to capture source of the threatkeyword
rsa.time.datekeyword
rsa.time.datetimekeyword
rsa.time.daykeyword
rsa.time.duration_strA text string version of the durationkeyword
rsa.time.duration_timeThis key is used to capture the normalized duration/lifetime in seconds.double
rsa.time.effective_timeThis key is the effective time referenced by an individual event in a Standard Timestamp formatdate
rsa.time.endtimeThis key is used to capture the End time mentioned in a session in a standard formdate
rsa.time.event_queue_timeThis key is the Time that the event was queued.date
rsa.time.event_timeThis key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized formdate
rsa.time.event_time_strThis key is used to capture the incomplete time mentioned in a session as a stringkeyword
rsa.time.eventtimekeyword
rsa.time.expire_timeThis key is the timestamp that explicitly refers to an expiration.date
rsa.time.expire_time_strThis key is used to capture incomplete timestamp that explicitly refers to an expiration.keyword
rsa.time.gmtdatekeyword
rsa.time.gmttimekeyword
rsa.time.hourkeyword
rsa.time.minkeyword
rsa.time.monthkeyword
rsa.time.p_datekeyword
rsa.time.p_monthkeyword
rsa.time.p_timekeyword
rsa.time.p_time1keyword
rsa.time.p_time2keyword
rsa.time.p_yearkeyword
rsa.time.process_timeDeprecated, use duration.timekeyword
rsa.time.recorded_timeThe event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.date
rsa.time.stampDeprecated key defined only in table map.date
rsa.time.starttimeThis key is used to capture the Start time mentioned in a session in a standard formdate
rsa.time.timestampkeyword
rsa.time.timezoneThis key is used to capture the timezone of the Event Timekeyword
rsa.time.tzonekeyword
rsa.time.yearkeyword
rsa.web.alias_hostkeyword
rsa.web.cn_asn_dstkeyword
rsa.web.cn_rpacketskeyword
rsa.web.fqdnFully Qualified Domain Nameskeyword
rsa.web.p_urlkeyword
rsa.web.p_user_agentkeyword
rsa.web.p_web_cookiekeyword
rsa.web.p_web_methodkeyword
rsa.web.p_web_refererkeyword
rsa.web.remote_domainkeyword
rsa.web.reputation_numReputation Number of an entity. Typically used for Web Domainsdouble
rsa.web.urlpagekeyword
rsa.web.urlrootkeyword
rsa.web.web_cookieThis key is used to capture the Web cookies specifically.keyword
rsa.web.web_extension_tmpkeyword
rsa.web.web_pagekeyword
rsa.web.web_ref_domainWeb referer's domainkeyword
rsa.web.web_ref_pageThis key captures Web referer's page informationkeyword
rsa.web.web_ref_queryThis key captures Web referer's query portion of the URLkeyword
rsa.web.web_ref_rootWeb referer's root URL pathkeyword
rsa.wireless.access_pointThis key is used to capture the access point name.keyword
rsa.wireless.wlan_channelThis is used to capture the channel nameslong
rsa.wireless.wlan_nameThis key captures either WLAN number/namekeyword
rsa.wireless.wlan_ssidThis key is used to capture the ssid of a Wireless Sessionkeyword
Changelog
VersionDetailsMinimum Kibana version
0.24.0Enhancement (View pull request)
Deprecate package.		9.0.0
8.13.0
0.23.0Enhancement (View pull request)
Update Kibana constraint to support 9.0.0.		9.0.0
8.13.0
0.22.0Enhancement (View pull request)
Add "preserve_original_event" tag to documents withevent.kind set to "pipeline_error".		8.13.0
0.21.2Bug fix (View pull request)
Fix string literals in painless scripts.		8.13.0
0.21.1Bug fix (View pull request)
Use triple-brace Mustache templating when referencing variables in ingest pipelines.		8.13.0
0.21.0Enhancement (View pull request)
Allow @custom pipeline access to event.original without setting preserve_original_event.		8.13.0
0.20.0Enhancement (View pull request)
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.		8.13.0
0.19.3Enhancement (View pull request)
Fixkibana.version syntax in manifest.		8.0.0
7.14.1
0.19.2Enhancement (View pull request)
Changed owners		8.0.0
7.14.1
0.19.1Bug fix (View pull request)
Fix exclude_files pattern.		8.0.0
7.14.1
0.19.0Enhancement (View pull request)
ECS version updated to 8.11.0.		8.0.0
7.14.1
0.18.0Enhancement (View pull request)
ECS version updated to 8.10.0.		8.0.0
7.14.1
0.17.0Enhancement (View pull request)
Update package to ECS 8.9.0.		8.0.0
7.14.1
0.16.0Enhancement (View pull request)
Ensure event.kind is correctly set for pipeline errors.		8.0.0
7.14.1
0.15.0Enhancement (View pull request)
Update package to ECS 8.8.0.		8.0.0
7.14.1
0.14.0Enhancement (View pull request)
Update package-spec version to 2.7.0.		8.0.0
7.14.1
0.13.0Enhancement (View pull request)
Update package to ECS 8.7.0.
0.12.1Enhancement (View pull request)
Added categories and/or subcategories.
0.12.0Enhancement (View pull request)
Update package to ECS 8.6.0.
0.11.1Bug fix (View pull request)
Update docs to match field definitions.
0.11.0Enhancement (View pull request)
Update package to ECS 8.5.0.
0.10.2Bug fix (View pull request)
Remove duplicate fields.
0.10.1Enhancement (View pull request)
Use ECS geo.location definition.
0.10.0Enhancement (View pull request)
Update package to ECS 8.4.0
0.9.1Enhancement (View pull request)
Added link to vendor documentation in readme.md
0.9.0Enhancement (View pull request)
Update package to ECS 8.3.0.
0.8.1Bug fix (View pull request)
Format host.mac as per ECS.
0.8.0Enhancement (View pull request)
Update to ECS 8.2.0
0.7.0Enhancement (View pull request)
Update to ECS 8.0.0
0.6.1Bug fix (View pull request)
Regenerate test files using the new GeoIP database
0.6.0Enhancement (View pull request)
Add 8.0.0 version constraint
0.5.4Enhancement (View pull request)
Uniform with guidelines
0.5.3Enhancement (View pull request)
Update Title and Description.
0.5.2Bug fix (View pull request)
Fixed a bug that prevents the package from working in 7.16.
0.5.1Bug fix (View pull request)
Fix logic that checks for the 'forwarded' tag
0.5.0Enhancement (View pull request)
Update to ECS 1.12.0
0.4.3Bug fix (View pull request)
Requires version 7.14.1 of the stack
0.4.2Enhancement (View pull request)
Convert to generated ECS fields
0.4.1Enhancement (View pull request)
update to ECS 1.11.0
0.4.0Enhancement (View pull request)
Update integration description
0.3.0Enhancement (View pull request)
Set "event.module" and "event.dataset"
0.2.0Enhancement (View pull request)
update to ECS 1.10.0 and add event.original options
0.1.4Enhancement (View pull request)
update to ECS 1.9.0
0.1.0Enhancement (View pull request)
initial release
[8]ページ先頭
©2009-2026 Movatter.jp