github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

Osquery: Update exported fields reference for osquery 5.5.1 (#143754)

Browse source
This commit is contained in:
Aleksandr Maus 2023-02-02 11:17:17 -05:00 committed by GitHub
parent 927091dfea
commit ff39dca4a8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

49
docs/osquery/exported-fields-reference.asciidoc
View file

@ -80,6 +80,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _systemd_units.active_state_ - The high-level unit activation state, i.e. generalization of SUB
*activity* - keyword, number.long
* _unified_log.activity_ - the activity ID associate with the entry.
*actual* - keyword, number.long
* _fan_speed_sensors.actual_ - Actual speed
@ -114,7 +118,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*algorithm* - keyword, text.text
* _authorized_keys.algorithm_ - algorithm of key
* _authorized_keys.algorithm_ - Key type
*alias* - keyword, text.text
@ -621,6 +625,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _ntfs_journal_events.category_ - The category that the event originated from
* _power_sensors.category_ - The sensor category: currents, voltage, wattage
* _system_extensions.category_ - System extension category
* _unified_log.category_ - The category of the os_log_t used
* _yara_events.category_ - The category of the file
*cdhash* - keyword, text.text
@ -645,6 +650,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _docker_containers.cgroup_namespace_ - cgroup namespace
* _process_namespaces.cgroup_namespace_ - cgroup namespace inode
*cgroup_path* - keyword, text.text
* _processes.cgroup_path_ - The full hierarchical path of the process's control group
*chain* - keyword, text.text
* _iptables.chain_ - Size of module content.
@ -836,9 +845,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*comment* - keyword, text.text
* _authorizations.comment_ - Label top-level key
* _authorized_keys.comment_ - Optional comment
* _docker_image_history.comment_ - Instruction comment
* _etc_protocols.comment_ - Comment with protocol description
* _etc_services.comment_ - Optional comment for a service.
* _etc_services.comment_ - Optional comment for a service
* _groups.comment_ - Remarks or comments associated with the group
* _keychain_items.comment_ - Optional keychain comment
@ -1937,6 +1947,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _alf.firewall_unload_ - 1 If firewall unloading enabled else 0
*firmware_type* - keyword, text.text
* _platform_info.firmware_type_ - The type of firmware (Uefi, Bios, Unknown).
*firmware_version* - keyword, text.text
* _ibridge_info.firmware_version_ - The build version of the firmware
@ -2236,7 +2250,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*hostname* - keyword, text.text
* _curl_certificate.hostname_ - Hostname (domain[:port]) to CURL
* _curl_certificate.hostname_ - Hostname to CURL (domain[:port], for example, osquery.io)
* _system_info.hostname_ - Network hostname including domain
* _ycloud_instance_metadata.hostname_ - Hostname of the VM
@ -2683,7 +2697,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*key* - keyword, text.text
* _authorized_keys.key_ - parsed authorized keys line
* _authorized_keys.key_ - Key encoded as base64
* _azure_instance_tags.key_ - The tag key
* _chrome_extensions.key_ - The extension key, from the manifest file
* _docker_container_envs.key_ - Environment variable name
@ -2857,9 +2871,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _docker_image_layers.layer_order_ - Layer Order (1 = base layer)
*level* - keyword, number.long
*level* - keyword
* _asl.level_ - Log level number. See levels in asl.h.
* _unified_log.level_ - the severity level of the entry
* _windows_eventlog.level_ - Severity level associated with the event
* _windows_events.level_ - The severity level associated with the event
@ -3093,6 +3108,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _pipes.max_instances_ - The maximum number of instances creatable for this pipe
*max_rows* - keyword, number.long
* _unified_log.max_rows_ - The max number of rows returned (defaults to 100).
*max_speed* - keyword, number.long
* _memory_devices.max_speed_ - Max speed of memory device in megatransfers per second (MT/s)
@ -3221,6 +3240,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _lxd_cluster_members.message_ - Message from the node (Online/Offline)
* _selinux_events.message_ - Message
* _syslog_events.message_ - The syslog message
* _unified_log.message_ - Composed message
* _user_events.message_ - Message from the event
*metadata_endpoint* - keyword, text.text
@ -3699,8 +3719,9 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _chrome_extensions.optional_permissions_json_ - The JSON-encoded permissions optionally required by the extensions
*options* - keyword
*options* - keyword, text.text
* _authorized_keys.options_ - Optional list of login options
* _dns_resolvers.options_ - Resolver options
* _nfs_shares.options_ - Options string set on the export share
@ -4129,9 +4150,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _processes.pid_ - Process (or thread) ID
* _running_apps.pid_ - The pid of the application
* _seccomp_events.pid_ - Process ID
* _services.pid_ - the Process ID of the service
* _services.pid_ - The Process ID of the service
* _shared_memory.pid_ - Process ID to last use the segment
* _socket_events.pid_ - Process (or thread) ID
* _unified_log.pid_ - The pid of the process that made the entry
* _user_events.pid_ - Process (or thread) ID
* _windows_crashes.pid_ - Process ID of the crashed process
* _windows_eventlog.pid_ - Process ID which emitted the event record
@ -4305,6 +4327,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*process* - keyword, text.text
* _alf_explicit_auths.process_ - Process name explicitly allowed
* _unified_log.process_ - The name of the process that made the entry
*process_being_tapped* - keyword, number.long
@ -4852,6 +4875,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*sender* - keyword, text.text
* _asl.sender_ - Sender's identification string. Default is process name.
* _unified_log.sender_ - The name of the binary image that made the entry
*sensor_backend_server* - keyword, text.text
@ -5311,6 +5335,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _kva_speculative_info.stibp_support_enabled_ - Windows uses STIBP.
*storage* - keyword, number.long
* _unified_log.storage_ - The storage category for the entry.
*storage_driver* - keyword, text.text
* _docker_info.storage_driver_ - Storage driver
@ -5388,6 +5416,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*subsystem* - keyword, text.text
* _system_controls.subsystem_ - Subsystem ID, control type
* _unified_log.subsystem_ - The subsystem of the os_log_t used
*subsystem_model* - keyword, text.text
@ -5556,6 +5585,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _bpf_process_events.tid_ - Thread ID
* _bpf_socket_events.tid_ - Thread ID
* _unified_log.tid_ - The tid of the thread that made the entry
* _windows_crashes.tid_ - Thread ID of the crashed thread
* _windows_eventlog.tid_ - Thread ID which emitted the event record
@ -5607,6 +5637,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*timestamp* - keyword, text.text
* _time.timestamp_ - Current timestamp (log format) in UTC
* _unified_log.timestamp_ - Unix timestamp associated with the entry
* _windows_eventlog.timestamp_ - Timestamp to selectively filter the events
*timestamp_ms* - keyword, number.long
@ -5697,7 +5728,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _ntfs_acl_permissions.type_ - Type of access mode for the access control entry.
* _nvram.type_ - Data type (CFData, CFString, etc)
* _osquery_events.type_ - Either publisher or subscriber
* _osquery_extensions.type_ - SDK extension type: extension or module
* _osquery_extensions.type_ - SDK extension type: core, extension, or module
* _osquery_flags.type_ - Flag type
* _process_open_pipes.type_ - Pipe Type: named vs unnamed/anonymous
* _registry.type_ - Type of the registry value, or 'subkey' if item is a subkey
@ -5742,7 +5773,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _known_hosts.uid_ - The local user that owns the known_hosts file
* _launchd_overrides.uid_ - User ID applied to the override, 0 applies to all
* _package_bom.uid_ - Expected user of file or directory
* _password_policy.uid_ - User ID for the policy if available
* _password_policy.uid_ - User ID for the policy, -1 for policies that are global
* _process_events.uid_ - User ID at process start
* _process_file_events.uid_ - The uid of the process performing the action
* _processes.uid_ - Unsigned user ID