mirror of
https://github.com/elastic/kibana.git
synced 2025-04-23 01:13:23 -04:00
[8.15] [Security GenAI] [ Integration Assistant] Add missing ecs fields into the context (#187826) (#187973)
# Backport This will backport the following commits from `main` to `8.15`: - [[Security GenAI] [ Integration Assistant] Add missing ecs fields into the context (#187826)](https://github.com/elastic/kibana/pull/187826) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Bharat Pasupula","email":"123897612+bhapas@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-07-10T13:03:10Z","message":"[Security GenAI] [ Integration Assistant] Add missing ecs fields into the context (#187826)","sha":"6f168b5ea9ca2710656eea8cbca766019d6ffc04","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team: SecuritySolution","v8.15.0","v8.16.0"],"title":"[Security GenAI] [ Integration Assistant] Add missing ecs fields into the context","number":187826,"url":"https://github.com/elastic/kibana/pull/187826","mergeCommit":{"message":"[Security GenAI] [ Integration Assistant] Add missing ecs fields into the context (#187826)","sha":"6f168b5ea9ca2710656eea8cbca766019d6ffc04"}},"sourceBranch":"main","suggestedTargetBranches":["8.15"],"targetPullRequestStates":[{"branch":"8.15","label":"v8.15.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/187826","number":187826,"mergeCommit":{"message":"[Security GenAI] [ Integration Assistant] Add missing ecs fields into the context (#187826)","sha":"6f168b5ea9ca2710656eea8cbca766019d6ffc04"}}]}] BACKPORT--> Co-authored-by: Bharat Pasupula <123897612+bhapas@users.noreply.github.com>
This commit is contained in:
Kibana Machine
GitHub
parent
b3e591b71d
commit
4b9a9c375e
1 changed files with 398 additions and 78 deletions
|
|
@ -1688,13 +1688,61 @@ export const ECS_TYPES: EcsFields = {
|
|||
};
|
||||
|
||||
export const ECS_FIELDS: EcsFields = {
|
||||
'as.number': 'Unique number allocated to the autonomous system.',
|
||||
'as.organization.name': 'Organization name of the autonomous system.',
|
||||
'client.address': 'Client network address.',
|
||||
'client.bytes': 'Bytes sent from the client to the server.',
|
||||
'client.domain': 'Client domain.',
|
||||
'client.geo.city_name': 'City name of the client.',
|
||||
'client.geo.continent_name': 'Name of the continent of the client.',
|
||||
'client.geo.country_name': 'Country name of the client.',
|
||||
'client.geo.location': 'Longitude and latitude of the client.',
|
||||
'client.geo.region_name': 'Region name of the client.',
|
||||
'client.ip': 'Client IP address.',
|
||||
'client.mac': 'MAC address of the client.',
|
||||
'client.nat.ip': 'Translated IP client address.',
|
||||
'client.nat.port': 'Translated port of client address.',
|
||||
'client.packets': 'Packets sent from the client to the server.',
|
||||
'client.port': 'Client port.',
|
||||
'client.registered_domain': 'The highest registered client domain, stripped of the subdomain.',
|
||||
'client.subdomain': 'Subdomain of the client.',
|
||||
'client.top_level_domain': 'Top level domain of the client.',
|
||||
'cloud.account.id': 'The cloud account or organization id.',
|
||||
'cloud.availability_zone': 'Availability zone in which this host is running.',
|
||||
'cloud.instance.id': 'Instance ID of the host machine.',
|
||||
'cloud.instance.name': 'Instance name of the host machine.',
|
||||
'cloud.machine.type': 'Machine type of the host machine.',
|
||||
'cloud.project.id': 'The cloud project id.',
|
||||
'cloud.project.name': 'The cloud project name.',
|
||||
'cloud.provider': 'Name of the cloud provider.',
|
||||
'cloud.region': 'Region in which this host is running.',
|
||||
'container.id': 'Unique container id.',
|
||||
'container.image.name': 'Name of the image the container is built on.',
|
||||
'container.image.tag': 'Container image tag.',
|
||||
'container.labels': 'Image labels.',
|
||||
'container.name': 'Container name.',
|
||||
'container.runtime': 'Runtime managing this container.',
|
||||
'data_stream.dataset': 'Data stream dataset.',
|
||||
'data_stream.namespace': 'Data stream namespace.',
|
||||
'data_stream.type': 'Data stream type.',
|
||||
'destination.address': 'Destination network address.',
|
||||
'destination.bytes': 'Bytes sent from the destination to the source.',
|
||||
'destination.domain': 'The domain name of the destination.',
|
||||
'destination.ip': 'IP address of the destination.',
|
||||
'destination.domain': 'Destination domain.',
|
||||
'destination.geo.city_name': 'City name of the destination.',
|
||||
'destination.geo.continent_name': 'Name of the continent of the destination.',
|
||||
'destination.geo.country_name': 'Country name of the destination.',
|
||||
'destination.geo.location': 'Longitude and latitude of the destination.',
|
||||
'destination.geo.region_name': 'Region name of the destination.',
|
||||
'destination.ip': 'Destination IP address.',
|
||||
'destination.mac': 'MAC address of the destination.',
|
||||
'destination.nat.ip': 'Translated IP destination address.',
|
||||
'destination.nat.port': 'Translated port of destination address.',
|
||||
'destination.packets': 'Packets sent from the destination to the source.',
|
||||
'destination.port': 'Port of the destination.',
|
||||
'destination.port': 'Destination port.',
|
||||
'destination.registered_domain':
|
||||
'The highest registered destination domain, stripped of the subdomain.',
|
||||
'destination.subdomain': 'Subdomain of the destination.',
|
||||
'destination.top_level_domain': 'Top level domain of the destination.',
|
||||
'destination.user.domain': 'Name of the directory the user is a member of.',
|
||||
'destination.user.email': 'User email address.',
|
||||
'destination.user.full_name': 'Users full name, if available.',
|
||||
|
|
@ -1703,92 +1751,305 @@ export const ECS_FIELDS: EcsFields = {
|
|||
'destination.user.group.name': 'Name of the group.',
|
||||
'destination.user.id': 'Unique identifier of the user.',
|
||||
'destination.user.name': 'Short name or login of the user.',
|
||||
'dll.code_signature.status': 'Status of the DLL code signature.',
|
||||
'dll.code_signature.subject_name': 'Subject name of the DLL code signer.',
|
||||
'dll.code_signature.trusted': 'Flag indicating if the DLL code signature is trusted.',
|
||||
'dll.code_signature.valid': 'Flag indicating if the DLL code signature is valid.',
|
||||
'dll.hash.md5': 'MD5 hash of the DLL.',
|
||||
'dll.hash.sha1': 'SHA1 hash of the DLL.',
|
||||
'dll.hash.sha256': 'SHA256 hash of the DLL.',
|
||||
'dll.name': 'Name of the DLL.',
|
||||
'dll.path': 'Full path to the DLL file.',
|
||||
'dll.pe.company': 'PE company name of the DLL.',
|
||||
'dll.pe.description': 'PE description of the DLL.',
|
||||
'dll.pe.file_version': 'PE file version of the DLL.',
|
||||
'dll.pe.imphash': 'PE import hash of the DLL.',
|
||||
'dll.pe.original_file_name': 'PE original file name of the DLL.',
|
||||
'dll.pe.product': 'PE product name of the DLL.',
|
||||
'dll.size': 'Size of the DLL in bytes.',
|
||||
'dll.type': 'Type of the DLL.',
|
||||
'dns.answers': 'DNS answers.',
|
||||
'dns.header_flags': 'DNS header flags.',
|
||||
'dns.id': 'DNS message ID.',
|
||||
'dns.op_code': 'DNS operation code.',
|
||||
'dns.question.class': 'DNS question class.',
|
||||
'dns.question.name': 'DNS question name.',
|
||||
'dns.question.registered_domain':
|
||||
'The highest registered DNS question domain, stripped of the subdomain.',
|
||||
'dns.question.subdomain': 'Subdomain of the DNS question.',
|
||||
'dns.question.top_level_domain': 'Top level domain of the DNS question.',
|
||||
'dns.question.type': 'DNS question type.',
|
||||
'dns.resolved_ip': 'Resolved IP addresses from DNS query.',
|
||||
'dns.response_code': 'DNS response code.',
|
||||
'dns.type': 'DNS query type.',
|
||||
'email.attachments': 'Email attachments.',
|
||||
'email.bcc.address': 'Email addresses of BCC recipients.',
|
||||
'email.bcc.domain': 'Domain of BCC recipients.',
|
||||
'email.bcc.local': 'Local part of the BCC recipients.',
|
||||
'email.bcc.registered_domain': 'The highest registered BCC domain, stripped of the subdomain.',
|
||||
'email.bcc.subdomain': 'Subdomain of the BCC recipients.',
|
||||
'email.bcc.top_level_domain': 'Top level domain of the BCC recipients.',
|
||||
'email.cc.address': 'Email addresses of CC recipients.',
|
||||
'email.cc.domain': 'Domain of CC recipients.',
|
||||
'email.cc.local': 'Local part of the CC recipients.',
|
||||
'email.cc.registered_domain': 'The highest registered CC domain, stripped of the subdomain.',
|
||||
'email.cc.subdomain': 'Subdomain of the CC recipients.',
|
||||
'email.cc.top_level_domain': 'Top level domain of the CC recipients.',
|
||||
'email.content_type': 'Content type of the email.',
|
||||
'email.delivery_timestamp': 'Time the email was delivered.',
|
||||
'email.direction': 'Direction of the email.',
|
||||
'email.from.address': 'Email address of the sender.',
|
||||
'email.from.domain': 'Domain of the sender.',
|
||||
'email.from.local': 'Local part of the sender.',
|
||||
'email.from.registered_domain':
|
||||
'The highest registered sender domain, stripped of the subdomain.',
|
||||
'email.from.subdomain': 'Subdomain of the sender.',
|
||||
'email.from.top_level_domain': 'Top level domain of the sender.',
|
||||
'email.local_id': 'Local identifier of the email.',
|
||||
'email.message_id': 'Message ID of the email.',
|
||||
'email.origination_timestamp': 'Time the email was originated.',
|
||||
'email.reply_to.address': 'Email address of the reply-to.',
|
||||
'email.reply_to.domain': 'Domain of the reply-to.',
|
||||
'email.reply_to.local': 'Local part of the reply-to.',
|
||||
'email.reply_to.registered_domain':
|
||||
'The highest registered reply-to domain, stripped of the subdomain.',
|
||||
'email.reply_to.subdomain': 'Subdomain of the reply-to.',
|
||||
'email.reply_to.top_level_domain': 'Top level domain of the reply-to.',
|
||||
'email.sender.address': 'Email address of the sender.',
|
||||
'email.sender.domain': 'Domain of the sender.',
|
||||
'email.sender.local': 'Local part of the sender.',
|
||||
'email.sender.registered_domain':
|
||||
'The highest registered sender domain, stripped of the subdomain.',
|
||||
'email.sender.subdomain': 'Subdomain of the sender.',
|
||||
'email.sender.top_level_domain': 'Top level domain of the sender.',
|
||||
'email.size': 'Size of the email in bytes.',
|
||||
'email.subject': 'Subject of the email.',
|
||||
'email.to.address': 'Email addresses of recipients.',
|
||||
'email.to.domain': 'Domain of recipients.',
|
||||
'email.to.local': 'Local part of the recipients.',
|
||||
'email.to.registered_domain':
|
||||
'The highest registered recipient domain, stripped of the subdomain.',
|
||||
'email.to.subdomain': 'Subdomain of the recipients.',
|
||||
'email.to.top_level_domain': 'Top level domain of the recipients.',
|
||||
'error.code': 'Error code describing the error.',
|
||||
'error.id': 'Unique identifier for the error.',
|
||||
'error.stack_trace': 'Error stack trace.',
|
||||
'error.type': 'Error type.',
|
||||
'event.action': 'The action captured by the event.',
|
||||
'event.created': 'Time when the event was first read by an agent or by your pipeline.',
|
||||
'event.code': 'Identification code for this event.',
|
||||
'event.duration': 'Duration of the event in nanoseconds.',
|
||||
'event.end':
|
||||
'event.end contains the date when the event ended or when the activity was last observed.',
|
||||
'event.end': 'Date when the event ended.',
|
||||
'event.hash': 'Hash of the event.',
|
||||
'event.id': 'Unique ID to describe the event.',
|
||||
'event.module': 'Name of the module this data is coming from.',
|
||||
'event.outcome': 'The outcome of the event.',
|
||||
'event.provider': 'Source of the event.',
|
||||
'event.reason': 'Reason why this event happened.',
|
||||
'event.reference': 'Reference URL describing this event.',
|
||||
'event.result': 'The result of the event.',
|
||||
'event.risk_score': 'Risk score or priority of the event.',
|
||||
'event.risk_score_norm': 'Normalized risk score or priority of the event.',
|
||||
'event.sequence': 'Sequence number of the event.',
|
||||
'event.severity': 'Numeric severity of the event.',
|
||||
'file.directory': 'Directory where the file is located.',
|
||||
'file.extension': 'File extension, excluding the leading dot.',
|
||||
'file.gid': 'Primary group ID (GID) of the file.',
|
||||
'file.group': 'Primary group name of the file.',
|
||||
'file.hash.md5': 'MD5 hash.',
|
||||
'file.hash.sha1': 'SHA1 hash.',
|
||||
'file.hash.sha256': 'SHA256 hash.',
|
||||
'event.start': 'Date when the event started.',
|
||||
'event.timezone': 'Timezone in which the event was captured.',
|
||||
'faas.coldstart': 'Indicator of a cold start invocation.',
|
||||
'faas.execution': 'Execution identifier.',
|
||||
'faas.id': 'Function ID.',
|
||||
'faas.name': 'Function name.',
|
||||
'faas.version': 'Function version.',
|
||||
'file.accessed': 'Last time the file was accessed.',
|
||||
'file.attributes': 'File attributes.',
|
||||
'file.created': 'Date/time when the file was created.',
|
||||
'file.ctime': 'Last time the file attributes or metadata changed.',
|
||||
'file.device': 'Device that is the source of the file.',
|
||||
'file.directory': 'Directory containing the file.',
|
||||
'file.drive_letter': 'Drive letter where the file is located.',
|
||||
'file.extension': 'File extension.',
|
||||
'file.gid': 'GID or group ID of the file.',
|
||||
'file.group': 'Group that owns the file.',
|
||||
'file.hash.md5': 'MD5 hash of the file.',
|
||||
'file.hash.sha1': 'SHA1 hash of the file.',
|
||||
'file.hash.sha256': 'SHA256 hash of the file.',
|
||||
'file.inode': 'Inode representing the file in the filesystem.',
|
||||
'file.name': 'Name of the file including the extension, without the directory.',
|
||||
'file.path': 'Full path to the file, including the file name.',
|
||||
'file.mime_type': 'File MIME type.',
|
||||
'file.mode': 'File mode.',
|
||||
'file.mtime': 'Last time the file content was modified.',
|
||||
'file.name': 'File name.',
|
||||
'file.owner': 'File owner.',
|
||||
'file.path': 'File path.',
|
||||
'file.puid': 'PUID or platform user ID of the file.',
|
||||
'file.size': 'File size in bytes.',
|
||||
'file.uid': 'The user ID (UID) or security identifier (SID) of the file owner.',
|
||||
'group.domain': 'Name of the directory the group is a member of.',
|
||||
'file.target_path': 'Target path for symbolic links.',
|
||||
'file.type': 'File type (file, dir, symlink, etc).',
|
||||
'file.uid': 'UID or user ID of the file.',
|
||||
'group.domain': 'Domain of the group.',
|
||||
'group.id': 'Unique identifier for the group on the system/platform.',
|
||||
'group.name': 'Name of the group.',
|
||||
'host.architecture': 'Operating system architecture.',
|
||||
'host.boot.id': 'Unique host boot identifier.',
|
||||
'host.cpu.usage': 'Percent CPU usage.',
|
||||
'host.disk.read.bytes': 'Total bytes read.',
|
||||
'host.disk.write.bytes': 'Total bytes written.',
|
||||
'host.geo.city_name': 'City name of the host.',
|
||||
'host.geo.continent_name': 'Name of the continent of the host.',
|
||||
'host.geo.country_name': 'Country name of the host.',
|
||||
'host.geo.location': 'Longitude and latitude of the host.',
|
||||
'host.geo.region_name': 'Region name of the host.',
|
||||
'host.hostname': 'Hostname of the host.',
|
||||
'host.id': 'Unique host id.',
|
||||
'host.ip': 'IP address of the host.',
|
||||
'host.mac': 'MAC address of the host.',
|
||||
'host.name': 'Name of the host.',
|
||||
'host.os.build': 'OS build information.',
|
||||
'host.os.family': 'OS family (e.g., redhat, debian, freebsd, windows).',
|
||||
'host.os.full': 'Operating system name, including the version or code name.',
|
||||
'host.os.kernel': 'Operating system kernel version.',
|
||||
'host.os.name': 'Operating system name.',
|
||||
'host.os.platform': 'Operating system platform (e.g., centos, ubuntu, windows).',
|
||||
'host.os.type': 'Operating system type (linux, macos, unix, windows).',
|
||||
'host.os.version': 'Operating system version.',
|
||||
'http.request.body.bytes': 'Size in bytes of the request body.',
|
||||
'http.request.body.content': 'The full HTTP request body.',
|
||||
'http.request.headers': 'HTTP request headers.',
|
||||
'http.request.method': 'HTTP request method.',
|
||||
'http.request.mime_type': 'MIME type of the HTTP request.',
|
||||
'http.request.referrer': 'Referrer for this HTTP request.',
|
||||
'http.response.body.bytes': 'Size in bytes of the response body.',
|
||||
'http.response.body.content': 'The full HTTP response body.',
|
||||
'http.response.headers': 'HTTP response headers.',
|
||||
'http.response.mime_type': 'MIME type of the HTTP response.',
|
||||
'http.response.status_code': 'HTTP response status code.',
|
||||
'http.version': 'HTTP version.',
|
||||
'network.application': 'Application level protocol name.',
|
||||
'network.bytes': 'Total bytes transferred in both directions.',
|
||||
'network.direction': 'Direction of the network traffic.',
|
||||
'network.packets': 'Total packets transferred in both directions.',
|
||||
'network.protocol': 'Application protocol name.',
|
||||
'network.transport': 'Protocol Name corresponding to the field `iana_number`.',
|
||||
'network.type': 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc',
|
||||
'interface.alias': 'Interface alias name.',
|
||||
'interface.id': 'Unique identifier for the interface.',
|
||||
'interface.name': 'Interface name.',
|
||||
'interface.type': 'Interface type.',
|
||||
'log.file.path': 'Path to the log file.',
|
||||
'log.level': 'Log level of the log event.',
|
||||
'log.logger': 'Name of the logger.',
|
||||
'log.origin.file.line':
|
||||
'Line number of the file containing the source code which originated the log.',
|
||||
'log.origin.file.name': 'Name of the file containing the source code which originated the log.',
|
||||
'log.origin.function': 'Name of the function which originated the log.',
|
||||
'log.original': 'The original log message before any modification.',
|
||||
'log.syslog.facility.code': 'Syslog facility code.',
|
||||
'log.syslog.facility.name': 'Syslog facility name.',
|
||||
'log.syslog.severity.code': 'Syslog severity code.',
|
||||
'log.syslog.severity.name': 'Syslog severity name.',
|
||||
'metricset.name': 'Name of the metricset.',
|
||||
'network.application': 'Network application.',
|
||||
'network.bytes': 'Total bytes transferred in the network event.',
|
||||
'network.community_id': 'A hash of source and destination IPs, ports, and protocol.',
|
||||
'network.direction': 'Network traffic direction (inbound, outbound).',
|
||||
'network.forwarded_ip':
|
||||
'The field is used to store the original source IP when a proxy or load balancer is in place.',
|
||||
'network.iana_number': 'IANA Protocol Number.',
|
||||
'network.name': 'Name given by operators to sections of their network.',
|
||||
'network.packets': 'Total packets transferred in the network event.',
|
||||
'network.protocol': 'L7 Network protocol name.',
|
||||
'network.transport': 'L4 Network transport protocol.',
|
||||
'network.type': 'Type of the network.',
|
||||
'organization.id': 'Unique identifier for the organization.',
|
||||
'organization.name': 'Organization name.',
|
||||
'organization.name': 'Name of the organization.',
|
||||
'package.architecture': 'Package architecture.',
|
||||
'package.checksum': 'Checksum of the package.',
|
||||
'package.description': 'Package description.',
|
||||
'package.install_scope': 'Scope of the package installation.',
|
||||
'package.license': 'Package license.',
|
||||
'package.name': 'Package name.',
|
||||
'package.path': 'Package path.',
|
||||
'package.reference': 'Package reference.',
|
||||
'package.size': 'Package size.',
|
||||
'package.version': 'Package version.',
|
||||
'process.args': 'Array of process arguments.',
|
||||
'process.args_count': 'Length of the process.args array.',
|
||||
'process.code_signature.status': 'Status of the process code signature.',
|
||||
'process.code_signature.subject_name': 'Subject name of the process code signer.',
|
||||
'process.code_signature.trusted': 'Flag indicating if the process code signature is trusted.',
|
||||
'process.code_signature.valid': 'Flag indicating if the process code signature is valid.',
|
||||
'process.command_line': 'Full command line that started the process.',
|
||||
'process.end': 'The time the process ended.',
|
||||
'process.executable': 'Absolute path to the process executable.',
|
||||
'process.hash.md5': 'MD5 hash.',
|
||||
'process.hash.sha1': 'SHA1 hash.',
|
||||
'process.hash.sha256': 'SHA256 hash.',
|
||||
'process.exit_code': 'Exit code of the process.',
|
||||
'process.hash.md5': 'MD5 hash of the process executable.',
|
||||
'process.hash.sha1': 'SHA1 hash of the process executable.',
|
||||
'process.hash.sha256': 'SHA256 hash of the process executable.',
|
||||
'process.name': 'Process name.',
|
||||
'process.parent.args': 'Array of process arguments.',
|
||||
'process.parent.args': 'Array of parent process arguments.',
|
||||
'process.parent.args_count': 'Length of the process.args array.',
|
||||
'process.parent.command_line': 'Full command line that started the process.',
|
||||
'process.parent.end': 'The time the process ended.',
|
||||
'process.parent.executable': 'Absolute path to the process executable.',
|
||||
'process.parent.code_signature.status': 'Status of the parent process code signature.',
|
||||
'process.parent.code_signature.subject_name': 'Subject name of the parent process code signer.',
|
||||
'process.parent.code_signature.trusted':
|
||||
'Flag indicating if the parent process code signature is trusted.',
|
||||
'process.parent.code_signature.valid':
|
||||
'Flag indicating if the parent process code signature is valid.',
|
||||
'process.parent.command_line': 'Full command line that started the parent process.',
|
||||
'process.parent.end': 'The time the parent process ended.',
|
||||
'process.parent.executable': 'Absolute path to the parent process executable.',
|
||||
'process.parent.exit_code': 'Exit code of the parent process.',
|
||||
'process.parent.group.id': 'Unique identifier for the group on the system/platform.',
|
||||
'process.parent.group.name': 'Name of the group.',
|
||||
'process.parent.hash.md5': 'MD5 hash.',
|
||||
'process.parent.hash.sha1': 'SHA1 hash.',
|
||||
'process.parent.hash.sha256': 'SHA256 hash.',
|
||||
'process.parent.name': 'Process name.',
|
||||
'process.parent.hash.md5': 'MD5 hash of the parent process executable.',
|
||||
'process.parent.hash.sha1': 'SHA1 hash of the parent process executable.',
|
||||
'process.parent.hash.sha256': 'SHA256 hash of the parent process executable.',
|
||||
'process.parent.name': 'Parent process name.',
|
||||
'process.parent.pgid': 'Deprecated identifier of the group of processes the process belongs to.',
|
||||
'process.parent.pid': 'Process id.',
|
||||
'process.parent.start': 'The time the process started.',
|
||||
'process.parent.thread.id': 'Thread ID.',
|
||||
'process.parent.thread.name': 'Thread name.',
|
||||
'process.parent.user.id': 'Unique identifier of the user.',
|
||||
'process.parent.pid': 'Parent process ID.',
|
||||
'process.parent.start': 'The date/time when the parent process started.',
|
||||
'process.parent.working_directory': 'The working directory of the parent process.',
|
||||
'process.parent.user.name': 'Short name or login of the user.',
|
||||
'process.pgid': 'Deprecated identifier of the group of processes the process belongs to.',
|
||||
'process.pid': 'Process id.',
|
||||
'process.start': 'The time the process started.',
|
||||
'process.pid': 'Process ID.',
|
||||
'process.start': 'The date/time when the process started.',
|
||||
'process.thread.id': 'Thread ID.',
|
||||
'process.thread.name': 'Thread name.',
|
||||
'process.user.id': 'Unique identifier of the user.',
|
||||
'process.user.name': 'Short name or login of the user.',
|
||||
'rule.author': 'Rule author',
|
||||
'rule.category': 'Rule category',
|
||||
'rule.description': 'Rule description',
|
||||
'rule.id': 'Rule ID',
|
||||
'process.title': 'Process title.',
|
||||
'process.working_directory': 'The working directory of the process.',
|
||||
'rule.author': 'Author of the rule.',
|
||||
'rule.category': 'Rule category.',
|
||||
'rule.description': 'Rule description.',
|
||||
'rule.id': 'Unique rule ID.',
|
||||
'rule.license': 'Rule license',
|
||||
'rule.name': 'Rule name',
|
||||
'rule.name': 'Name of the rule.',
|
||||
'rule.reference': 'Rule reference URL',
|
||||
'rule.ruleset': 'Rule ruleset',
|
||||
'rule.uuid': 'Rule UUID',
|
||||
'rule.version': 'Rule version',
|
||||
'rule.ruleset': 'Rule set to which the rule belongs.',
|
||||
'rule.uuid': 'Rule UUID.',
|
||||
'server.address': 'Server network address.',
|
||||
'server.bytes': 'Bytes sent from the server to the client.',
|
||||
'server.domain': 'Server domain.',
|
||||
'server.geo.city_name': 'City name of the server.',
|
||||
'server.geo.continent_name': 'Name of the continent of the server.',
|
||||
'server.geo.country_name': 'Country name of the server.',
|
||||
'server.geo.location': 'Longitude and latitude of the server.',
|
||||
'server.geo.region_name': 'Region name of the server.',
|
||||
'server.ip': 'Server IP address.',
|
||||
'server.mac': 'MAC address of the server.',
|
||||
'server.nat.ip': 'Translated IP server address.',
|
||||
'server.nat.port': 'Translated port of server address.',
|
||||
'server.packets': 'Packets sent from the server to the client.',
|
||||
'server.port': 'Server port.',
|
||||
'server.registered_domain': 'The highest registered server domain, stripped of the subdomain.',
|
||||
'server.subdomain': 'Subdomain of the server.',
|
||||
'server.top_level_domain': 'Top level domain of the server.',
|
||||
'source.address': 'Source network address.',
|
||||
'source.bytes': 'Bytes sent from the source to the destination.',
|
||||
'source.domain': 'The domain name of the source.',
|
||||
'source.ip': 'IP address of the source.',
|
||||
'source.domain': 'Source domain.',
|
||||
'source.geo.city_name': 'City name of the source.',
|
||||
'source.geo.continent_name': 'Name of the continent of the source.',
|
||||
'source.geo.country_name': 'Country name of the source.',
|
||||
'source.geo.location': 'Longitude and latitude of the source.',
|
||||
'source.geo.region_name': 'Region name of the source.',
|
||||
'source.ip': 'Source IP address.',
|
||||
'source.mac': 'MAC address of the source.',
|
||||
'source.nat.ip': 'Translated IP source address.',
|
||||
'source.nat.port': 'Translated port of source address.',
|
||||
'source.packets': 'Packets sent from the source to the destination.',
|
||||
'source.port': 'Port of the source.',
|
||||
'source.port': 'Source port.',
|
||||
'source.registered_domain': 'The highest registered source domain, stripped of the subdomain.',
|
||||
'source.subdomain': 'Subdomain of the source.',
|
||||
'source.top_level_domain': 'Top level domain of the source.',
|
||||
'source.user.domain': 'Name of the directory the user is a member of.',
|
||||
'source.user.email': 'User email address.',
|
||||
'source.user.full_name': 'Users full name, if available.',
|
||||
|
|
@ -1798,33 +2059,92 @@ export const ECS_FIELDS: EcsFields = {
|
|||
'source.user.id': 'Unique identifier of the user.',
|
||||
'source.user.name': 'Short name or login of the user.',
|
||||
'source.user.roles': 'Array of user roles at the time of the event.',
|
||||
'threat.framework': 'Name of the threat framework used.',
|
||||
'threat.tactic.id': 'The ID of the tactic.',
|
||||
'threat.tactic.name': 'Name of the tactic.',
|
||||
'threat.tactic.reference': 'Reference URL of the tactic.',
|
||||
'threat.technique.id': 'The ID of the technique.',
|
||||
'threat.technique.name': 'Name of the technique.',
|
||||
'threat.technique.reference': 'Reference URL of the technique.',
|
||||
'threat.technique.subtechnique.id': 'The ID of the subtechnique.',
|
||||
'threat.technique.subtechnique.name': 'Name of the subtechnique.',
|
||||
'threat.technique.subtechnique.reference': 'Reference URL of the subtechnique.',
|
||||
'tls.server.x509.alternative_names': 'List of subject alternative names (SAN).',
|
||||
'tls.server.x509.issuer.common_name':
|
||||
'List of common name (CN) of issuing certificate authority.',
|
||||
'threat.framework': 'Threat classification framework.',
|
||||
'threat.tactic.id': 'Threat tactic id.',
|
||||
'threat.tactic.name': 'Threat tactic.',
|
||||
'threat.technique.id': 'Threat technique id.',
|
||||
'threat.technique.name': 'Threat technique name.',
|
||||
'url.domain': 'Domain of the url.',
|
||||
'url.extension': 'File extension from the request url, excluding the leading dot.',
|
||||
'url.fragment': 'Portion of the url after the `#`.',
|
||||
'url.full': 'Full unparsed URL.',
|
||||
'url.original': 'Unmodified original url as seen in the event source.',
|
||||
'url.path': 'Path of the request, such as "/search".',
|
||||
'url.port': 'Port of the request, such as 443.',
|
||||
'url.query': 'Query string of the request.',
|
||||
'url.scheme': 'Scheme of the url.',
|
||||
'user.domain': 'Name of the directory the user is a member of.',
|
||||
'user.email': 'User email address.',
|
||||
'user.full_name': 'Users full name, if available.',
|
||||
'user.group.domain': 'Name of the directory the group is a member of.',
|
||||
'user.group.id': 'Unique identifier for the group on the system/platform.',
|
||||
'user.group.name': 'Name of the group.',
|
||||
'trace.id': 'Unique identifier for a trace.',
|
||||
'transaction.id': 'Unique identifier for a transaction.',
|
||||
'url.domain': 'Domain of the URL.',
|
||||
'url.extension': 'File extension from the URL.',
|
||||
'url.fragment': 'Fragment identifier of the URL.',
|
||||
'url.full': 'Full URL.',
|
||||
'url.original': 'Original URL.',
|
||||
'url.password': 'Password from the URL.',
|
||||
'url.path': 'Path of the URL.',
|
||||
'url.port': 'Port of the URL.',
|
||||
'url.query': 'Query string of the URL.',
|
||||
'url.registered_domain': 'The highest registered domain, stripped of the subdomain.',
|
||||
'url.scheme': 'Scheme of the URL.',
|
||||
'url.subdomain': 'Subdomain of the URL.',
|
||||
'url.top_level_domain': 'Top level domain of the URL.',
|
||||
'url.username': 'Username from the URL.',
|
||||
'user.changes.domain': 'Domain of the target user.',
|
||||
'user.changes.email': "Target user's email address.",
|
||||
'user.changes.full_name': "Target user's full name.",
|
||||
'user.changes.group.id': "Unique identifier for the target user's group.",
|
||||
'user.changes.group.name': "Target user's group name.",
|
||||
'user.changes.id': 'Unique identifier of the target user.',
|
||||
'user.changes.name': "Target user's name.",
|
||||
'user.domain': 'Domain of the user.',
|
||||
'user.effective.domain': 'Domain of the effective user.',
|
||||
'user.effective.email': "Effective user's email address.",
|
||||
'user.effective.full_name': "Effective user's full name.",
|
||||
'user.effective.group.id': "Unique identifier for the effective user's group.",
|
||||
'user.effective.group.name': "Effective user's group name.",
|
||||
'user.effective.id': 'Unique identifier of the effective user.',
|
||||
'user.effective.name': "Effective user's name.",
|
||||
'user.email': "User's email address.",
|
||||
'user.full_name': "User's full name.",
|
||||
'user.group.domain': "Domain of the user's group.",
|
||||
'user.group.id': "Unique identifier for the user's group.",
|
||||
'user.group.name': "User's group name.",
|
||||
'user.hash': 'User hash.',
|
||||
'user.id': 'Unique identifier of the user.',
|
||||
'user.name': 'Short name or login of the user.',
|
||||
'user.roles': 'Array of user roles at the time of the event.',
|
||||
'user_agent.original': 'Unparsed user_agent string.',
|
||||
'user.name': "User's name.",
|
||||
'user.target.domain': 'Domain of the target user.',
|
||||
'user.target.email': "Target user's email address.",
|
||||
'user.target.full_name': "Target user's full name.",
|
||||
'user.target.group.id': "Unique identifier for the target user's group.",
|
||||
'user.target.group.name': "Target user's group name.",
|
||||
'user.target.id': 'Unique identifier of the target user.',
|
||||
'user.target.name': "Target user's name.",
|
||||
'user_agent.device.name': 'Device name from the user agent string.',
|
||||
'user_agent.name': 'Name of the user agent.',
|
||||
'user_agent.original': 'Original user agent string.',
|
||||
'user_agent.os.family': 'OS family from the user agent string.',
|
||||
'user_agent.os.full': 'Full OS information from the user agent string.',
|
||||
'user_agent.os.name': 'OS name from the user agent string.',
|
||||
'user_agent.os.version': 'OS version from the user agent string.',
|
||||
'user_agent.version': 'Version of the user agent.',
|
||||
'vlan.id': 'VLAN ID.',
|
||||
'vlan.name': 'VLAN name.',
|
||||
'vulnerability.category': 'Vulnerability category.',
|
||||
'vulnerability.classification': 'Vulnerability classification.',
|
||||
'vulnerability.description': 'Vulnerability description.',
|
||||
'vulnerability.enumeration': 'Vulnerability enumeration.',
|
||||
'vulnerability.id': 'Unique vulnerability identifier.',
|
||||
'vulnerability.reference': 'Vulnerability reference URL.',
|
||||
'vulnerability.report_id': 'The report or scan identification number.',
|
||||
'vulnerability.scanner.vendor': 'Name of the vulnerability scanner vendor.',
|
||||
'vulnerability.score.base':
|
||||
'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope..',
|
||||
'vulnerability.score.environmental':
|
||||
'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements.',
|
||||
'vulnerability.score.temporal':
|
||||
'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence.',
|
||||
'vulnerability.score.version':
|
||||
'The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.',
|
||||
'vulnerability.severity': 'Vulnerability severity.',
|
||||
};
|
||||
|
||||
export const ECS_EXAMPLE_ANSWER = {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue