├── .backportrc.json ├── .buildkite ├── pipeline.yml.py ├── scripts │ ├── build.sh │ ├── build_info.py │ ├── check.sh │ ├── find_oldest_supported_version.py │ └── sign_and_publish.sh └── sign_and_publish.yml.py ├── .bumpversion.cfg ├── .ci ├── Jenkinsfile └── jobs │ ├── defaults.yml │ └── endpoint-package-mbp.yml ├── .gitattributes ├── .github ├── CODEOWNERS └── PULL_REQUEST_TEMPLATE ├── .gitignore ├── .go-version ├── .prettierignore ├── LICENSE.txt ├── Makefile ├── NOTICE.txt ├── README.md ├── catalog-info.yaml ├── custom_documentation ├── doc │ └── endpoint │ │ ├── README.md │ │ ├── alerts │ │ ├── linux │ │ │ ├── linux_malicious_behavior_alert.md │ │ │ ├── linux_malware_alert.md │ │ │ └── linux_memory_threat_alert.md │ │ ├── macos │ │ │ ├── macos_malicious_behavior_alert.md │ │ │ ├── macos_malware_alert.md │ │ │ └── macos_memory_threat_alert.md │ │ └── windows │ │ │ ├── windows_malicious_behavior_alert.md │ │ │ ├── windows_malware_alert.md │ │ │ ├── windows_memory_threat_alert.md │ │ │ ├── windows_ransomware_alert.md │ │ │ └── windows_shellcode_thread.md │ │ ├── api │ │ └── windows │ │ │ ├── windows_api_amsi.md │ │ │ ├── windows_api_asm.md │ │ │ ├── windows_api_credential_access.md │ │ │ ├── windows_api_kernel_audit.md │ │ │ ├── windows_api_tcpip.md │ │ │ ├── windows_api_threat_intelligence.md │ │ │ ├── windows_api_win32k.md │ │ │ └── windows_api_wmi.md │ │ ├── file │ │ ├── linux │ │ │ ├── linux_file_create.md │ │ │ ├── linux_file_delete.md │ │ │ ├── linux_file_endpoint_unquarantine.md │ │ │ └── linux_file_rename.md │ │ ├── macos │ │ │ ├── macos_file_access.md │ │ │ ├── macos_file_delete.md │ │ │ ├── macos_file_endpoint_unquarantine.md │ │ │ ├── macos_file_extended_attributes_delete.md │ │ │ ├── macos_file_launch_daemon.md │ │ │ ├── macos_file_modification.md │ │ │ ├── macos_file_mount.md │ │ │ └── macos_file_rename.md │ │ └── windows │ │ │ ├── windows_file_create.md │ │ │ ├── windows_file_delete.md │ │ │ ├── windows_file_endpoint_unquarantine.md │ │ │ ├── windows_file_modification.md │ │ │ ├── windows_file_open.md │ │ │ ├── windows_file_overwrite.md │ │ │ └── windows_file_rename.md │ │ ├── library │ │ ├── macos │ │ │ └── macos_library_load.md │ │ └── windows │ │ │ └── windows_library_load.md │ │ ├── metadata │ │ └── metadata.md │ │ ├── metrics │ │ └── metrics.md │ │ ├── network │ │ ├── linux │ │ │ ├── linux_network_attempted_accepted_and_disconnect.md │ │ │ └── linux_network_dns_lookup_result.md │ │ ├── macos │ │ │ ├── macos_network_connection_attempted_and_disconnect.md │ │ │ └── macos_network_dns_lookup_result.md │ │ └── windows │ │ │ ├── windows_network_attempted_accepted_and_disconnect.md │ │ │ ├── windows_network_dns_lookup_requested.md │ │ │ └── windows_network_dns_lookup_result.md │ │ ├── policy │ │ └── policy_response.md │ │ ├── process │ │ ├── linux │ │ │ ├── linux_process_already_running.md │ │ │ ├── linux_process_fork_exec_exit.md │ │ │ ├── linux_process_gid_change.md │ │ │ ├── linux_process_memfd_create.md │ │ │ ├── linux_process_ptrace.md │ │ │ ├── linux_process_session_id_change.md │ │ │ ├── linux_process_shmget.md │ │ │ ├── linux_process_text_output.md │ │ │ └── linux_process_uid_change.md │ │ ├── macos │ │ │ ├── macos_process_already_running.md │ │ │ ├── macos_process_fork_exec_exit.md │ │ │ └── macos_process_remote_thread.md │ │ └── windows │ │ │ ├── windows_process_already_running.md │ │ │ └── windows_process_create_and_exit.md │ │ ├── registry │ │ └── windows │ │ │ ├── windows_registry_modification.md │ │ │ └── windows_registry_query.md │ │ ├── security │ │ ├── macos │ │ │ ├── macos_security_gatekeeper_override.md │ │ │ ├── macos_security_log_on.md │ │ │ ├── macos_security_rdp_log_on.md │ │ │ └── macos_security_ssh_log_on.md │ │ └── windows │ │ │ ├── windows_security_log_off.md │ │ │ └── windows_security_log_on.md │ │ └── volume_device │ │ └── windows │ │ ├── windows_volume_device_mount.md │ │ └── windows_volume_device_unmount.md └── src │ └── endpoint │ └── data_stream │ ├── alerts │ ├── linux │ │ ├── linux_malicious_behavior_alert.yaml │ │ ├── linux_malware_alert.yaml │ │ └── linux_memory_threat_alert.yaml │ ├── macos │ │ ├── macos_malicious_behavior_alert.yaml │ │ ├── macos_malware_alert.yaml │ │ └── macos_memory_threat_alert.yaml │ └── windows │ │ ├── windows_malicious_behavior_alert.yaml │ │ ├── windows_malware_alert.yaml │ │ ├── windows_memory_threat_alert.yaml │ │ ├── windows_ransomware_alert.yaml │ │ └── windows_shellcode_thread.yaml │ ├── api │ └── windows │ │ ├── windows_api_amsi.yaml │ │ ├── windows_api_asm.yaml │ │ ├── windows_api_credential_access.yaml │ │ ├── windows_api_kernel_audit.yaml │ │ ├── windows_api_tcpip.yaml │ │ ├── windows_api_threat_intelligence.yaml │ │ ├── windows_api_win32k.yaml │ │ └── windows_api_wmi.yaml │ ├── file │ ├── linux │ │ ├── linux_file_create.yaml │ │ ├── linux_file_delete.yaml │ │ ├── linux_file_endpoint_unquarantine.yaml │ │ └── linux_file_rename.yaml │ ├── macos │ │ ├── macos_file_access.yaml │ │ ├── macos_file_delete.yaml │ │ ├── macos_file_endpoint_unquarantine.yaml │ │ ├── macos_file_extended_attributes_delete.yaml │ │ ├── macos_file_launch_daemon.yaml │ │ ├── macos_file_modification.yaml │ │ ├── macos_file_mount.yaml │ │ └── macos_file_rename.yaml │ └── windows │ │ ├── windows_file_create.yaml │ │ ├── windows_file_delete.yaml │ │ ├── windows_file_endpoint_unquarantine.yaml │ │ ├── windows_file_modification.yaml │ │ ├── windows_file_open.yaml │ │ ├── windows_file_overwrite.yaml │ │ └── windows_file_rename.yaml │ ├── library │ ├── macos │ │ └── macos_library_load.yaml │ └── windows │ │ └── windows_library_load.yaml │ ├── metadata │ └── metadata.yaml │ ├── metrics │ └── metrics.yaml │ ├── network │ ├── linux │ │ ├── linux_network_attempted_accepted_and_disconnect.yaml │ │ └── linux_network_dns_lookup_result.yaml │ ├── macos │ │ ├── macos_network_connection_attempted_and_disconnect.yaml │ │ └── macos_network_dns_lookup_result.yaml │ └── windows │ │ ├── windows_network_attempted_accepted_and_disconnect.yaml │ │ ├── windows_network_dns_lookup_requested.yaml │ │ └── windows_network_dns_lookup_result.yaml │ ├── policy │ └── policy_response.yaml │ ├── process │ ├── linux │ │ ├── linux_process_already_running.yaml │ │ ├── linux_process_fork_exec_exit.yaml │ │ ├── linux_process_gid_change.yaml │ │ ├── linux_process_memfd_create.yaml │ │ ├── linux_process_ptrace.yaml │ │ ├── linux_process_session_id_change.yaml │ │ ├── linux_process_shmget.yaml │ │ ├── linux_process_text_output.yaml │ │ └── linux_process_uid_change.yaml │ ├── macos │ │ ├── macos_process_already_running.yaml │ │ ├── macos_process_fork_exec_exit.yaml │ │ └── macos_process_remote_thread.yaml │ └── windows │ │ ├── windows_process_already_running.yaml │ │ └── windows_process_create_and_exit.yaml │ ├── registry │ └── windows │ │ ├── windows_registry_modification.yaml │ │ └── windows_registry_query.yaml │ ├── security │ ├── macos │ │ ├── macos_security_gatekeeper_override.yaml │ │ ├── macos_security_log_on.yaml │ │ ├── macos_security_rdp_log_on.yaml │ │ └── macos_security_ssh_log_on.yaml │ └── windows │ │ ├── windows_security_log_off.yaml │ │ └── windows_security_log_on.yaml │ └── volume_device │ └── windows │ ├── windows_volume_device_mount.yaml │ └── windows_volume_device_unmount.yaml ├── custom_schemas ├── README.md ├── custom_action_policy.yml ├── custom_action_space.yml ├── custom_api.yml ├── custom_base.yml ├── custom_call_stack.yml ├── custom_data_stream.yml ├── custom_dll.yml ├── custom_dns.yml ├── custom_effective_process.yml ├── custom_elastic.yml ├── custom_endpoint.yml ├── custom_endpoint_actions.yml ├── custom_event.yml ├── custom_file.yml ├── custom_group.yml ├── custom_hash.yml ├── custom_http.yml ├── custom_macro.yml ├── custom_malware_classification.yml ├── custom_malware_signature.yml ├── custom_memory_protection.yml ├── custom_memory_region.yml ├── custom_os.yml ├── custom_pe.yml ├── custom_persistence.yml ├── custom_process.yml ├── custom_ransomware.yml ├── custom_responses.yml ├── custom_target.yml ├── custom_token.yml ├── custom_user.yml ├── custom_winlog.yml └── endgame │ └── custom_endgame.yaml ├── custom_subsets ├── README.md ├── elastic_endpoint │ ├── action_responses │ │ └── action_responses.yaml │ ├── actions │ │ └── actions.yaml │ ├── alerts │ │ ├── linux_event_model_event.yaml │ │ ├── malware_event.yaml │ │ ├── memory_protection_event.yaml │ │ ├── ransomware_event.yaml │ │ └── rule_detection_event.yaml │ ├── api │ │ └── api.yaml │ ├── collection │ │ └── collection.yaml │ ├── file │ │ ├── file.yaml │ │ └── unquarantine.yaml │ ├── heartbeat │ │ └── heartbeat.yaml │ ├── library │ │ └── library.yaml │ ├── metadata │ │ └── metadata.yaml │ ├── metrics │ │ └── metrics.yaml │ ├── network │ │ └── network.yaml │ ├── policy │ │ └── policy.yaml │ ├── process │ │ ├── linux_event_model_event.yaml │ │ └── process.yaml │ ├── registry │ │ └── registry.yaml │ └── security │ │ └── security.yaml └── legacy │ ├── alert.yaml │ ├── dns.yaml │ ├── file.yaml │ ├── imageload.yaml │ ├── network.yaml │ ├── process.yaml │ └── registry.yaml ├── dashboards └── endpoint_dashboard.ndjson ├── doc_templates └── endpoint │ └── docs │ ├── CustomDocumentation.md │ ├── CustomDocumentationREADME.md │ └── README.md ├── docker-compose.yml ├── docs ├── token_repo.png └── token_user.png ├── go.mod ├── go.sum ├── package-registry.config.yml ├── package └── endpoint │ ├── changelog.yml │ ├── data_stream │ ├── action_responses │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── actions │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── alerts │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── api │ │ ├── _dev │ │ │ ├── test-common-config.yml │ │ │ └── test-ingest-timestamp.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── collection │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ ├── ilm │ │ │ │ └── diagnostic.json │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ └── manifest.yml │ ├── file │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── heartbeat │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── library │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── metadata │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── metrics │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── network │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-dns.json │ │ │ │ ├── test-dns.json-expected.json │ │ │ │ ├── test-geo.json │ │ │ │ ├── test-geo.json-expected.json │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.yml │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── policy │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── process │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── registry │ │ ├── _dev │ │ │ └── test │ │ │ │ └── pipeline │ │ │ │ ├── test-common-config.yml │ │ │ │ ├── test-ingest-timestamp.json │ │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ │ └── ingest_pipeline │ │ │ │ └── default.json │ │ ├── fields │ │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ └── security │ │ ├── _dev │ │ └── test │ │ │ └── pipeline │ │ │ ├── test-common-config.yml │ │ │ ├── test-ingest-timestamp.json │ │ │ └── test-ingest-timestamp.json-expected.json │ │ ├── elasticsearch │ │ └── ingest_pipeline │ │ │ └── default.json │ │ ├── fields │ │ └── fields.yml │ │ ├── manifest.yml │ │ └── sample_event.json │ ├── docs │ └── README.md │ ├── elasticsearch │ ├── index_template │ │ ├── metrics-metadata-current.json │ │ └── metrics-metadata-united.json │ └── transform │ │ ├── metadata_current │ │ └── default.json │ │ └── metadata_united │ │ └── default.json │ ├── img │ └── security-logo-color-64px.svg │ └── manifest.yml ├── schemas ├── README.md ├── examples │ └── v1 │ │ ├── api_event_virtualprotect_windows.json │ │ ├── dns_lookup_failure_windows.json │ │ ├── dns_request_windows.json │ │ ├── driver_loaded_linux.json │ │ ├── driver_loaded_windows.json │ │ ├── file_modified_linux.json │ │ ├── file_modified_windows.json │ │ ├── library_loaded_linux.json │ │ ├── library_loaded_windows.json │ │ ├── malware_alert.json │ │ ├── metadata.json │ │ ├── network_http_request_windows.json │ │ ├── network_http_response_windows.json │ │ ├── network_inbound_connection_accepted_windows.json │ │ ├── network_inbound_connection_attempt_windows.json │ │ ├── network_inbound_disconnect_windows.json │ │ ├── network_inbound_reconnection_attempt_windows.json │ │ ├── network_outbound_connection_accepted_windows.json │ │ ├── network_outbound_connection_attempt_windows.json │ │ ├── network_outbound_disconnect_windows.json │ │ ├── network_outbound_reconnection_attempt_windows.json │ │ ├── process_already_running_windows.json │ │ ├── process_created_linux.json │ │ ├── process_created_windows.json │ │ ├── process_terminated_windows.json │ │ ├── process_uid_changed_linux.json │ │ ├── registry_creation.json │ │ ├── registry_deletion.json │ │ └── registry_modification.json ├── v0 │ ├── _template.yaml │ ├── dns.yaml │ ├── file.yaml │ ├── imageload.yaml │ ├── network.yaml │ ├── process.yaml │ └── registry.yaml └── v1 │ ├── action_responses │ └── action_responses.yaml │ ├── actions │ └── actions.yaml │ ├── alerts │ ├── linux_event_model_event.yaml │ ├── malware_event.yaml │ ├── memory_protection_event.yaml │ ├── ransomware_event.yaml │ └── rule_detection_event.yaml │ ├── api │ └── api.yaml │ ├── collection │ └── collection.yaml │ ├── file │ ├── file.yaml │ └── unquarantine.yaml │ ├── heartbeat │ └── heartbeat.yaml │ ├── library │ └── library.yaml │ ├── metadata │ └── metadata.yaml │ ├── metrics │ └── metrics.yaml │ ├── network │ └── network.yaml │ ├── policy │ └── policy.yaml │ ├── process │ ├── linux_event_model_event.yaml │ └── process.yaml │ ├── registry │ └── registry.yaml │ └── security │ └── security.yaml └── scripts ├── event_schema_generator ├── README.md └── main.py ├── generate-docs ├── README.md ├── custom_doc.go ├── doc_template.go ├── exported_fields.go ├── main.go ├── packages.go └── sample_event.go ├── go-tools ├── README.md └── tools.go ├── requirements.txt ├── saved_object_decoder ├── README.md └── so_decoder.py └── yaml_merger └── process_yaml.py /.backportrc.json: -------------------------------------------------------------------------------- 1 | { 2 | "targetBranchChoices": [ 3 | "7.9", 4 | "7.10", 5 | "7.11", 6 | "7.12", 7 | "7.13", 8 | "7.14", 9 | "7.15", 10 | "7.16", 11 | "7.17", 12 | "8.0", 13 | "8.1", 14 | "8.2", 15 | "8.3", 16 | "8.4", 17 | "8.5", 18 | "8.6" 19 | ], 20 | "targetPRLabels": [ 21 | "backport" 22 | ], 23 | "upstream": "elastic/endpoint-package" 24 | } 25 | -------------------------------------------------------------------------------- /.buildkite/scripts/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | 4 | set -euo pipefail 5 | 6 | echo "--- Install python3 virtualenv" 7 | apt update -y && apt install -y python3.11-venv 8 | 9 | 10 | echo "--- Build" 11 | make 12 | 13 | 14 | echo "--- Check Git Diff" 15 | echo "update git index" 16 | git update-index -q --really-refresh 17 | 18 | echo "check for uncommitted build artifacts" 19 | git diff-index --exit-code HEAD -- 20 | -------------------------------------------------------------------------------- /.buildkite/scripts/check.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | echo "--- Install requirement" 6 | echo "Install Go" 7 | GO_INSTALLER=go1.21.1.linux-amd64.tar.gz 8 | curl -sLO https://go.dev/dl/$GO_INSTALLER 9 | mkdir ~/.local/ 10 | tar xzf $GO_INSTALLER -C $HOME/.local 11 | rm -f $GO_INSTALLER 12 | export PATH=$HOME/.local/go/bin:$PATH 13 | 14 | echo "Install elastic-package" 15 | make elastic-package 16 | 17 | 18 | echo "--- Retrieving stack version" 19 | # Use STACK_VERSION if defined, else use the output of .buildkite/scripts/find_oldest_supported_version.py 20 | _STACK_VERSION=${STACK_VERSION:-$(python3 .buildkite/scripts/find_oldest_supported_version.py)} 21 | echo "Using stack version $_STACK_VERSION" 22 | 23 | echo "--- Prepare stack" 24 | echo "Update the Elastic stack" 25 | ./scripts/go-tools/bin/elastic-package stack update -v --version ${_STACK_VERSION} 26 | 27 | echo "Boot up the Elastic stack" 28 | ./scripts/go-tools/bin/elastic-package stack up --services elasticsearch -d -v --version ${_STACK_VERSION} 29 | 30 | 31 | echo "--- Static tests" 32 | eval "$(./scripts/go-tools/bin/elastic-package stack shellinit)" 33 | make static-test 34 | 35 | echo "--- Pipeline tests" 36 | eval "$(./scripts/go-tools/bin/elastic-package stack shellinit)" 37 | make pipeline-test 38 | -------------------------------------------------------------------------------- /.bumpversion.cfg: -------------------------------------------------------------------------------- 1 | [bumpversion] 2 | current_version = 8.6.0-dev.0 3 | commit = True 4 | parse = (?P\d+)\.(?P\d+)\.(?P\d+)(\-(?P[a-z]+)\.(?P\d+))? 5 | serialize = 6 | {major}.{minor}.{patch}-{release}.{build} 7 | {major}.{minor}.{patch} 8 | 9 | [bumpversion:part:release] 10 | optional_value = prod 11 | first_value = dev 12 | values = 13 | dev 14 | prod 15 | 16 | [bumpversion:part:build] 17 | 18 | [bumpversion:file:./package/endpoint/manifest.yml] 19 | search = 20 | version: {current_version} 21 | categories: ["security", "edr_xdr"] 22 | replace = 23 | version: {new_version} 24 | categories: ["security", "edr_xdr"] 25 | -------------------------------------------------------------------------------- /.ci/jobs/defaults.yml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | 4 | ##### GLOBAL METADATA 5 | 6 | - meta: 7 | cluster: fleet-ci 8 | 9 | ##### JOB DEFAULTS 10 | 11 | - job: 12 | logrotate: 13 | numToKeep: 20 14 | node: linux 15 | concurrent: true 16 | publishers: 17 | - email: 18 | recipients: endpoint-management+pkgbuild@elastic.co 19 | prune-dead-branches: true 20 | -------------------------------------------------------------------------------- /.ci/jobs/endpoint-package-mbp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - job: 3 | name: "endpoint-package-mbp" 4 | display-name: endpoint-package 5 | description: endpoint-package 6 | project-type: multibranch 7 | script-path: .ci/Jenkinsfile 8 | disabled: true 9 | scm: 10 | - github: 11 | branch-discovery: no-pr 12 | discover-pr-forks-strategy: merge-current 13 | discover-pr-forks-trust: permission 14 | discover-pr-origin: merge-current 15 | discover-tags: true 16 | notification-context: 'fleet-ci' 17 | repo: endpoint-package 18 | repo-owner: elastic 19 | credentials-id: 2a9602aa-ab9f-4e52-baf3-b71ca88469c7-UserAndToken 20 | ssh-checkout: 21 | credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba 22 | build-strategies: 23 | - tags: 24 | ignore-tags-older-than: -1 25 | ignore-tags-newer-than: -1 26 | - regular-branches: true 27 | - change-request: 28 | ignore-target-only-changes: true 29 | clean: 30 | after: true 31 | before: true 32 | prune: true 33 | shallow-clone: true 34 | depth: 4 35 | do-not-fetch-tags: true 36 | submodule: 37 | disable: false 38 | recursive: true 39 | parent-credentials: true 40 | timeout: 100 41 | timeout: '15' 42 | use-author: true 43 | wipe-workspace: true 44 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | generated/** linguist-generated=true 2 | schemas/** linguist-generated=true 3 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # The security onboarding team manages this package. 2 | * @elastic/security-defend-workflows 3 | 4 | # The custom_docs do not ship with the package itself, and are managed by the endpoint team 5 | # later rules in this file take precedence over earlier 6 | /custom_documentation/ @elastic/elastic-endpoint 7 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE: -------------------------------------------------------------------------------- 1 | ## Change Summary 2 | 3 | 4 | 5 | 6 | ### Sample values 7 | 8 | 14 | 15 | 16 | Sample document: 17 | 18 | ```json 19 | 20 | 21 | ``` 22 | 23 | 24 | ## Release Target 25 | 26 | 27 | 28 | 29 | ## Q/A 30 | 31 | 32 | 33 | ### For mapping changes: 34 | 35 | - [ ] I ran `make` after making the schema changes, and committed all changes 36 | - [ ] If these field(s) are "exception"-able, I made a companion PR to Kibana adding it (see [Readme](https://github.com/elastic/endpoint-package#exceptionable)) 37 | - [ ] If this is a `metadata` change, I also updated both transform destination schemas to match 38 | 39 | ### For Transform changes: 40 | 41 | - [ ] The new transform successfully starts in Kibana 42 | - [ ] The corresponding transform destination schema was updated if necessary 43 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | out 3 | config.mk 4 | .vscode 5 | build 6 | scripts/go-tools/bin 7 | venv/ 8 | vendor/ 9 | generated/ 10 | .DS_Store 11 | *.swp 12 | -------------------------------------------------------------------------------- /.go-version: -------------------------------------------------------------------------------- 1 | 1.20.5 2 | -------------------------------------------------------------------------------- /.prettierignore: -------------------------------------------------------------------------------- 1 | **/endpoint/**/*.yml 2 | **/endpoint/**/*.yaml 3 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Elastic Endpoint Package 2 | Copyright 2017-2025 Elasticsearch B.V. 3 | 4 | This product includes software developed at 5 | Elasticsearch, B.V. (https://www.elastic.co/). 6 | -------------------------------------------------------------------------------- /catalog-info.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://gist.githubusercontent.com/elasticmachine/988b80dae436cafea07d9a4a460a011d/raw/e57ee3bed7a6f73077a3f55a38e76e40ec87a7cf/rre.schema.json 3 | apiVersion: backstage.io/v1alpha1 4 | kind: Resource 5 | metadata: 6 | name: endpoint-package-pipeline 7 | description: Buildkite Pipeline for endpoint-package 8 | links: 9 | - title: Endpoint Package Pipeline 10 | url: https://buildkite.com/elastic/endpoint-package 11 | 12 | spec: 13 | type: buildkite-pipeline 14 | owner: group:security-defend-workflows 15 | system: buildkite 16 | implementation: 17 | apiVersion: buildkite.elastic.dev/v1 18 | kind: Pipeline 19 | metadata: 20 | name: endpoint-package 21 | spec: 22 | repository: elastic/endpoint-package 23 | pipeline_file: ".buildkite/pipeline.yml.py" 24 | # branch_configuration must be a space separated list of branches 25 | # to build automatically. 26 | branch_configuration: main 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.x 9.0 27 | cancel_intermediate_builds: true 28 | # Do not accidently skip main or release branch that may be in the middle of releasing 29 | cancel_intermediate_builds_branch_filter: '!main !8.12 !8.13 !8.14 !8.15 !8.16 !8.17 !8.18 !8.x !9.0' 30 | skip_intermediate_builds: true 31 | # Do not accidently skip main or release branch that may be in the middle of releasing 32 | skip_intermediate_builds_branch_filter: '!main !8.12 !8.13 !8.14 !8.15 !8.16 !8.17 !8.18 !8.x !9.0' 33 | provider_settings: 34 | build_pull_request_forks: false 35 | build_pull_request_labels_changed: false 36 | build_pull_requests: true 37 | build_tags: false 38 | cancel_deleted_branch_builds: true 39 | skip_builds_for_existing_commits: true 40 | skip_pull_request_builds_for_existing_commits: true 41 | teams: 42 | endpoint-ci-admin: {} 43 | security-defend-workflows: 44 | access_level: BUILD_AND_READ 45 | everyone: 46 | access_level: READ_ONLY 47 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/README.md: -------------------------------------------------------------------------------- 1 | ## Endpoint Event Documentation 2 | 3 | **This documentation is still beta** 4 | 5 | The subdirectories document all ECS fields that may exist in documents generated by Endpoint into 6 | logs and metrics datastreams. Only fields included by Endpoint are documented, those added during 7 | integration pipeline enrichment in Elasticsearch are not within the scope of this documentation. 8 | 9 | Endpoint state management documents are described in a cross-platform way because they are largely 10 | identical on each OS. Events are documented per-OS. Documentation for each state management or event 11 | document includes the relevant OS(es), the data stream the document is found in, a KQL filter to 12 | match on the document, and all the fields associated with the document. 13 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/api/windows/windows_api_kernel_audit.md: -------------------------------------------------------------------------------- 1 | # Windows API 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.api-*` 5 | - KQL: `event.dataset : "endpoint.events.api" and event.module : "endpoint" and event.provider : "Microsoft-Windows-Kernel-Audit-API-Calls" and host.os.type : "windows"` 6 | 7 | This event is generated when ETW Microsoft-Windows-Kernel-Audit-API-Calls events are generated. 8 | 9 | | Field | 10 | |---| 11 | | @timestamp | 12 | | agent.id | 13 | | agent.type | 14 | | agent.version | 15 | | data_stream.dataset | 16 | | data_stream.namespace | 17 | | data_stream.type | 18 | | ecs.version | 19 | | elastic.agent.id | 20 | | event.category | 21 | | event.created | 22 | | event.dataset | 23 | | event.id | 24 | | event.kind | 25 | | event.module | 26 | | event.outcome | 27 | | event.provider | 28 | | event.sequence | 29 | | event.type | 30 | | host.architecture | 31 | | host.hostname | 32 | | host.id | 33 | | host.ip | 34 | | host.mac | 35 | | host.name | 36 | | host.os.Ext.variant | 37 | | host.os.family | 38 | | host.os.full | 39 | | host.os.kernel | 40 | | host.os.name | 41 | | host.os.platform | 42 | | host.os.type | 43 | | host.os.version | 44 | | message | 45 | | process.Ext.api.behaviors | 46 | | process.Ext.api.name | 47 | | process.Ext.api.summary | 48 | | process.Ext.code_signature.exists | 49 | | process.Ext.code_signature.status | 50 | | process.Ext.code_signature.subject_name | 51 | | process.Ext.code_signature.trusted | 52 | | process.Ext.protection | 53 | | process.Ext.token.integrity_level_name | 54 | | process.code_signature.exists | 55 | | process.code_signature.status | 56 | | process.code_signature.subject_name | 57 | | process.code_signature.trusted | 58 | | process.command_line | 59 | | process.entity_id | 60 | | process.executable | 61 | | process.name | 62 | | process.parent.executable | 63 | | process.pid | 64 | | process.thread.id | 65 | | user.domain | 66 | | user.id | 67 | | user.name | 68 | 69 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/api/windows/windows_api_tcpip.md: -------------------------------------------------------------------------------- 1 | # Windows API 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.api-*` 5 | - KQL: `event.dataset : "endpoint.events.api" and event.module : "endpoint" and event.provider : "Microsoft-Windows-TCPIP" and host.os.type : "windows"` 6 | 7 | This event is generated when ETW Microsoft-Windows-TCPIP events are generated. 8 | 9 | | Field | 10 | |---| 11 | | @timestamp | 12 | | agent.id | 13 | | agent.type | 14 | | agent.version | 15 | | data_stream.dataset | 16 | | data_stream.namespace | 17 | | data_stream.type | 18 | | destination.ip | 19 | | destination.port | 20 | | ecs.version | 21 | | elastic.agent.id | 22 | | event.category | 23 | | event.created | 24 | | event.dataset | 25 | | event.id | 26 | | event.kind | 27 | | event.module | 28 | | event.outcome | 29 | | event.provider | 30 | | event.sequence | 31 | | event.type | 32 | | host.architecture | 33 | | host.hostname | 34 | | host.id | 35 | | host.ip | 36 | | host.mac | 37 | | host.name | 38 | | host.os.Ext.variant | 39 | | host.os.family | 40 | | host.os.full | 41 | | host.os.kernel | 42 | | host.os.name | 43 | | host.os.platform | 44 | | host.os.type | 45 | | host.os.version | 46 | | message | 47 | | network.transport | 48 | | network.type | 49 | | process.Ext.api.behaviors | 50 | | process.Ext.api.name | 51 | | process.Ext.api.summary | 52 | | process.Ext.code_signature.exists | 53 | | process.Ext.code_signature.status | 54 | | process.Ext.code_signature.subject_name | 55 | | process.Ext.code_signature.trusted | 56 | | process.Ext.protection | 57 | | process.Ext.token.integrity_level_name | 58 | | process.code_signature.exists | 59 | | process.code_signature.status | 60 | | process.code_signature.subject_name | 61 | | process.code_signature.trusted | 62 | | process.command_line | 63 | | process.entity_id | 64 | | process.executable | 65 | | process.name | 66 | | process.parent.executable | 67 | | process.pid | 68 | | process.thread.id | 69 | | user.domain | 70 | | user.id | 71 | | user.name | 72 | 73 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/linux/linux_file_create.md: -------------------------------------------------------------------------------- 1 | # Linux File Create 2 | 3 | - OS: Linux 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "creation" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "linux"` 6 | 7 | This event is generated when a file is created. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | agent.id | 14 | | agent.type | 15 | | agent.version | 16 | | data_stream.dataset | 17 | | data_stream.namespace | 18 | | data_stream.type | 19 | | ecs.version | 20 | | elastic.agent.id | 21 | | event.action | 22 | | event.category | 23 | | event.created | 24 | | event.dataset | 25 | | event.id | 26 | | event.kind | 27 | | event.module | 28 | | event.outcome | 29 | | event.sequence | 30 | | event.type | 31 | | file.extension | 32 | | file.hash.sha256 | 33 | | file.name | 34 | | file.path | 35 | | group.Ext.real.id | 36 | | group.Ext.real.name | 37 | | group.id | 38 | | group.name | 39 | | host.architecture | 40 | | host.hostname | 41 | | host.id | 42 | | host.ip | 43 | | host.mac | 44 | | host.name | 45 | | host.os.Ext.variant | 46 | | host.os.family | 47 | | host.os.full | 48 | | host.os.kernel | 49 | | host.os.name | 50 | | host.os.platform | 51 | | host.os.type | 52 | | host.os.version | 53 | | message | 54 | | process.Ext.ancestry | 55 | | process.command_line | 56 | | process.entity_id | 57 | | process.entry_leader.entity_id | 58 | | process.entry_leader.parent.entity_id | 59 | | process.executable | 60 | | process.group_leader.entity_id | 61 | | process.name | 62 | | process.parent.entity_id | 63 | | process.pid | 64 | | process.session_leader.entity_id | 65 | | user.Ext.real.id | 66 | | user.Ext.real.name | 67 | | user.id | 68 | | user.name | 69 | 70 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/linux/linux_file_delete.md: -------------------------------------------------------------------------------- 1 | # Linux File Delete 2 | 3 | - OS: Linux 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "deletion" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "linux"` 6 | 7 | This event is generated when a file is deleted. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | agent.id | 14 | | agent.type | 15 | | agent.version | 16 | | data_stream.dataset | 17 | | data_stream.namespace | 18 | | data_stream.type | 19 | | ecs.version | 20 | | elastic.agent.id | 21 | | event.action | 22 | | event.category | 23 | | event.created | 24 | | event.dataset | 25 | | event.id | 26 | | event.kind | 27 | | event.module | 28 | | event.outcome | 29 | | event.sequence | 30 | | event.type | 31 | | file.extension | 32 | | file.name | 33 | | file.path | 34 | | group.Ext.real.id | 35 | | group.Ext.real.name | 36 | | group.id | 37 | | group.name | 38 | | host.architecture | 39 | | host.hostname | 40 | | host.id | 41 | | host.ip | 42 | | host.mac | 43 | | host.name | 44 | | host.os.Ext.variant | 45 | | host.os.family | 46 | | host.os.full | 47 | | host.os.kernel | 48 | | host.os.name | 49 | | host.os.platform | 50 | | host.os.type | 51 | | host.os.version | 52 | | message | 53 | | process.Ext.ancestry | 54 | | process.command_line | 55 | | process.entity_id | 56 | | process.entry_leader.entity_id | 57 | | process.entry_leader.parent.entity_id | 58 | | process.executable | 59 | | process.group_leader.entity_id | 60 | | process.name | 61 | | process.parent.entity_id | 62 | | process.pid | 63 | | process.session_leader.entity_id | 64 | | user.Ext.real.id | 65 | | user.Ext.real.name | 66 | | user.id | 67 | | user.name | 68 | 69 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/linux/linux_file_endpoint_unquarantine.md: -------------------------------------------------------------------------------- 1 | # Linux Malware Unquarantine 2 | 3 | - OS: Linux 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "endpoint_unquarantine" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "linux"` 6 | 7 | This event is generated when Endpoint restores a file from the malware quarantine. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | agent.id | 14 | | agent.type | 15 | | agent.version | 16 | | data_stream.dataset | 17 | | data_stream.namespace | 18 | | data_stream.type | 19 | | ecs.version | 20 | | elastic.agent.id | 21 | | event.Ext.correlation.id | 22 | | event.action | 23 | | event.category | 24 | | event.created | 25 | | event.dataset | 26 | | event.id | 27 | | event.kind | 28 | | event.module | 29 | | event.outcome | 30 | | event.sequence | 31 | | event.type | 32 | | file.Ext.original.path | 33 | | file.hash.md5 | 34 | | file.hash.sha1 | 35 | | file.hash.sha256 | 36 | | file.name | 37 | | file.path | 38 | | host.architecture | 39 | | host.hostname | 40 | | host.id | 41 | | host.ip | 42 | | host.mac | 43 | | host.name | 44 | | host.os.Ext.variant | 45 | | host.os.family | 46 | | host.os.full | 47 | | host.os.kernel | 48 | | host.os.name | 49 | | host.os.platform | 50 | | host.os.type | 51 | | host.os.version | 52 | 53 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/linux/linux_file_rename.md: -------------------------------------------------------------------------------- 1 | # Linux File Rename 2 | 3 | - OS: Linux 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "rename" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "linux"` 6 | 7 | This event is generated when a file is renamed. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | agent.id | 14 | | agent.type | 15 | | agent.version | 16 | | data_stream.dataset | 17 | | data_stream.namespace | 18 | | data_stream.type | 19 | | ecs.version | 20 | | elastic.agent.id | 21 | | event.action | 22 | | event.category | 23 | | event.created | 24 | | event.dataset | 25 | | event.id | 26 | | event.kind | 27 | | event.module | 28 | | event.outcome | 29 | | event.sequence | 30 | | event.type | 31 | | file.Ext.original.extension | 32 | | file.Ext.original.name | 33 | | file.Ext.original.path | 34 | | file.extension | 35 | | file.hash.sha256 | 36 | | file.name | 37 | | file.path | 38 | | group.Ext.real.id | 39 | | group.Ext.real.name | 40 | | group.id | 41 | | group.name | 42 | | host.architecture | 43 | | host.hostname | 44 | | host.id | 45 | | host.ip | 46 | | host.mac | 47 | | host.name | 48 | | host.os.Ext.variant | 49 | | host.os.family | 50 | | host.os.full | 51 | | host.os.kernel | 52 | | host.os.name | 53 | | host.os.platform | 54 | | host.os.type | 55 | | host.os.version | 56 | | message | 57 | | process.Ext.ancestry | 58 | | process.command_line | 59 | | process.entity_id | 60 | | process.entry_leader.entity_id | 61 | | process.entry_leader.parent.entity_id | 62 | | process.executable | 63 | | process.group_leader.entity_id | 64 | | process.name | 65 | | process.parent.entity_id | 66 | | process.pid | 67 | | process.session_leader.entity_id | 68 | | user.Ext.real.id | 69 | | user.Ext.real.name | 70 | | user.id | 71 | | user.name | 72 | 73 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/macos/macos_file_access.md: -------------------------------------------------------------------------------- 1 | # macOS File Rename 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "open" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event is generated when a file is accessed. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | file.hash.sha256 | 36 | | file.inode | 37 | | file.name | 38 | | file.path | 39 | | file.size | 40 | | group.Ext.real.id | 41 | | group.id | 42 | | host.architecture | 43 | | host.hostname | 44 | | host.id | 45 | | host.ip | 46 | | host.mac | 47 | | host.name | 48 | | host.os.Ext.variant | 49 | | host.os.family | 50 | | host.os.full | 51 | | host.os.kernel | 52 | | host.os.name | 53 | | host.os.platform | 54 | | host.os.type | 55 | | host.os.version | 56 | | message | 57 | | process.name | 58 | | process.pid | 59 | | user.Ext.real.id | 60 | | user.id | 61 | 62 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/macos/macos_file_delete.md: -------------------------------------------------------------------------------- 1 | # macOS File Delete 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "deletion" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event is generated when a file is deleted. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | file.extension | 36 | | file.inode | 37 | | file.name | 38 | | file.path | 39 | | file.size | 40 | | group.Ext.real.id | 41 | | group.Ext.real.name | 42 | | group.id | 43 | | group.name | 44 | | host.architecture | 45 | | host.hostname | 46 | | host.id | 47 | | host.ip | 48 | | host.mac | 49 | | host.name | 50 | | host.os.Ext.variant | 51 | | host.os.family | 52 | | host.os.full | 53 | | host.os.kernel | 54 | | host.os.name | 55 | | host.os.platform | 56 | | host.os.type | 57 | | host.os.version | 58 | | message | 59 | | process.Ext.ancestry | 60 | | process.code_signature.exists | 61 | | process.code_signature.signing_id | 62 | | process.code_signature.status | 63 | | process.code_signature.subject_name | 64 | | process.code_signature.team_id | 65 | | process.code_signature.trusted | 66 | | process.command_line | 67 | | process.entity_id | 68 | | process.executable | 69 | | process.name | 70 | | process.parent.pid | 71 | | process.pid | 72 | | user.Ext.real.id | 73 | | user.Ext.real.name | 74 | | user.id | 75 | | user.name | 76 | 77 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/macos/macos_file_endpoint_unquarantine.md: -------------------------------------------------------------------------------- 1 | # macOS Malware Unquarantine 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "endpoint_unquarantine" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event is generated when Endpoint restores a file from the malware quarantine. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | agent.id | 14 | | agent.type | 15 | | agent.version | 16 | | data_stream.dataset | 17 | | data_stream.namespace | 18 | | data_stream.type | 19 | | ecs.version | 20 | | elastic.agent.id | 21 | | event.Ext.correlation.id | 22 | | event.action | 23 | | event.category | 24 | | event.created | 25 | | event.dataset | 26 | | event.id | 27 | | event.kind | 28 | | event.module | 29 | | event.outcome | 30 | | event.sequence | 31 | | event.type | 32 | | file.Ext.original.path | 33 | | file.hash.md5 | 34 | | file.hash.sha1 | 35 | | file.hash.sha256 | 36 | | file.name | 37 | | file.path | 38 | | host.architecture | 39 | | host.hostname | 40 | | host.id | 41 | | host.ip | 42 | | host.mac | 43 | | host.name | 44 | | host.os.Ext.variant | 45 | | host.os.family | 46 | | host.os.full | 47 | | host.os.kernel | 48 | | host.os.name | 49 | | host.os.platform | 50 | | host.os.type | 51 | | host.os.version | 52 | 53 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/macos/macos_file_extended_attributes_delete.md: -------------------------------------------------------------------------------- 1 | # macOS File Extended Attributes Delete 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "extended_attributes_delete" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event is generated when extended file attributes are deleted. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | file.attributes | 36 | | file.hash.sha256 | 37 | | file.inode | 38 | | file.name | 39 | | file.path | 40 | | file.size | 41 | | group.Ext.real.id | 42 | | group.Ext.real.name | 43 | | group.id | 44 | | group.name | 45 | | host.architecture | 46 | | host.hostname | 47 | | host.id | 48 | | host.ip | 49 | | host.mac | 50 | | host.name | 51 | | host.os.Ext.variant | 52 | | host.os.family | 53 | | host.os.full | 54 | | host.os.kernel | 55 | | host.os.name | 56 | | host.os.platform | 57 | | host.os.type | 58 | | host.os.version | 59 | | message | 60 | | process.Ext.ancestry | 61 | | process.code_signature.exists | 62 | | process.code_signature.signing_id | 63 | | process.code_signature.status | 64 | | process.code_signature.subject_name | 65 | | process.code_signature.team_id | 66 | | process.code_signature.trusted | 67 | | process.entity_id | 68 | | process.executable | 69 | | process.name | 70 | | process.parent.pid | 71 | | process.pid | 72 | | user.Ext.real.id | 73 | | user.Ext.real.name | 74 | | user.id | 75 | | user.name | 76 | 77 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/macos/macos_file_launch_daemon.md: -------------------------------------------------------------------------------- 1 | # macOS Launch Daemon 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "launch_daemon" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event includes information about a macOS Launch Daemon. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | Persistence.args | 18 | | Persistence.keepalive | 19 | | Persistence.name | 20 | | Persistence.path | 21 | | Persistence.runatload | 22 | | agent.id | 23 | | agent.type | 24 | | agent.version | 25 | | data_stream.dataset | 26 | | data_stream.namespace | 27 | | data_stream.type | 28 | | ecs.version | 29 | | elastic.agent.id | 30 | | event.action | 31 | | event.category | 32 | | event.created | 33 | | event.dataset | 34 | | event.id | 35 | | event.kind | 36 | | event.module | 37 | | event.outcome | 38 | | event.sequence | 39 | | event.type | 40 | | group.Ext.real.id | 41 | | group.Ext.real.name | 42 | | group.id | 43 | | group.name | 44 | | host.architecture | 45 | | host.hostname | 46 | | host.id | 47 | | host.ip | 48 | | host.mac | 49 | | host.name | 50 | | host.os.Ext.variant | 51 | | host.os.family | 52 | | host.os.full | 53 | | host.os.kernel | 54 | | host.os.name | 55 | | host.os.platform | 56 | | host.os.type | 57 | | host.os.version | 58 | | message | 59 | | process.Ext.ancestry | 60 | | process.code_signature.exists | 61 | | process.code_signature.signing_id | 62 | | process.code_signature.status | 63 | | process.code_signature.subject_name | 64 | | process.code_signature.team_id | 65 | | process.code_signature.trusted | 66 | | process.entity_id | 67 | | process.executable | 68 | | process.name | 69 | | process.pid | 70 | | user.Ext.real.id | 71 | | user.Ext.real.name | 72 | | user.id | 73 | | user.name | 74 | 75 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/macos/macos_file_modification.md: -------------------------------------------------------------------------------- 1 | # macOS File Modification 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "modification" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event is generated when a file is modified. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | file.Ext.header_bytes | 36 | | file.extension | 37 | | file.hash.sha256 | 38 | | file.inode | 39 | | file.name | 40 | | file.path | 41 | | file.size | 42 | | group.Ext.real.id | 43 | | group.Ext.real.name | 44 | | group.id | 45 | | group.name | 46 | | host.architecture | 47 | | host.hostname | 48 | | host.id | 49 | | host.ip | 50 | | host.mac | 51 | | host.name | 52 | | host.os.Ext.variant | 53 | | host.os.family | 54 | | host.os.full | 55 | | host.os.kernel | 56 | | host.os.name | 57 | | host.os.platform | 58 | | host.os.type | 59 | | host.os.version | 60 | | message | 61 | | process.Ext.ancestry | 62 | | process.code_signature.exists | 63 | | process.code_signature.signing_id | 64 | | process.code_signature.status | 65 | | process.code_signature.subject_name | 66 | | process.code_signature.team_id | 67 | | process.code_signature.trusted | 68 | | process.command_line | 69 | | process.entity_id | 70 | | process.executable | 71 | | process.name | 72 | | process.parent.pid | 73 | | process.pid | 74 | | user.Ext.real.id | 75 | | user.Ext.real.name | 76 | | user.id | 77 | | user.name | 78 | 79 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/macos/macos_file_mount.md: -------------------------------------------------------------------------------- 1 | # macOS Mount 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "mount" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event is generated when a file system is mounted. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | file.Ext.original.path | 36 | | file.inode | 37 | | file.path | 38 | | group.Ext.real.id | 39 | | group.Ext.real.name | 40 | | group.id | 41 | | group.name | 42 | | host.architecture | 43 | | host.hostname | 44 | | host.id | 45 | | host.ip | 46 | | host.mac | 47 | | host.name | 48 | | host.os.Ext.variant | 49 | | host.os.family | 50 | | host.os.full | 51 | | host.os.kernel | 52 | | host.os.name | 53 | | host.os.platform | 54 | | host.os.type | 55 | | host.os.version | 56 | | message | 57 | | process.Ext.ancestry | 58 | | process.code_signature.exists | 59 | | process.code_signature.signing_id | 60 | | process.code_signature.status | 61 | | process.code_signature.subject_name | 62 | | process.code_signature.team_id | 63 | | process.code_signature.trusted | 64 | | process.entity_id | 65 | | process.executable | 66 | | process.name | 67 | | process.parent.pid | 68 | | process.pid | 69 | | user.Ext.real.id | 70 | | user.Ext.real.name | 71 | | user.id | 72 | | user.name | 73 | 74 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/macos/macos_file_rename.md: -------------------------------------------------------------------------------- 1 | # macOS File Rename 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "rename" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event is generated when a file is renamed. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | file.Ext.original.extension | 36 | | file.Ext.original.path | 37 | | file.extension | 38 | | file.hash.sha256 | 39 | | file.inode | 40 | | file.name | 41 | | file.path | 42 | | file.size | 43 | | group.Ext.real.id | 44 | | group.Ext.real.name | 45 | | group.id | 46 | | group.name | 47 | | host.architecture | 48 | | host.hostname | 49 | | host.id | 50 | | host.ip | 51 | | host.mac | 52 | | host.name | 53 | | host.os.Ext.variant | 54 | | host.os.family | 55 | | host.os.full | 56 | | host.os.kernel | 57 | | host.os.name | 58 | | host.os.platform | 59 | | host.os.type | 60 | | host.os.version | 61 | | message | 62 | | process.Ext.ancestry | 63 | | process.code_signature.exists | 64 | | process.code_signature.signing_id | 65 | | process.code_signature.status | 66 | | process.code_signature.subject_name | 67 | | process.code_signature.team_id | 68 | | process.code_signature.trusted | 69 | | process.command_line | 70 | | process.entity_id | 71 | | process.executable | 72 | | process.name | 73 | | process.parent.pid | 74 | | process.pid | 75 | | user.Ext.real.id | 76 | | user.Ext.real.name | 77 | | user.id | 78 | | user.name | 79 | 80 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/windows/windows_file_delete.md: -------------------------------------------------------------------------------- 1 | # Windows File Delete 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "deletion" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when a file is deleted. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | file.Ext.entropy | 36 | | file.Ext.monotonic_id | 37 | | file.extension | 38 | | file.name | 39 | | file.path | 40 | | file.size | 41 | | host.architecture | 42 | | host.hostname | 43 | | host.id | 44 | | host.ip | 45 | | host.mac | 46 | | host.name | 47 | | host.os.Ext.variant | 48 | | host.os.family | 49 | | host.os.full | 50 | | host.os.kernel | 51 | | host.os.name | 52 | | host.os.platform | 53 | | host.os.type | 54 | | host.os.version | 55 | | message | 56 | | process.Ext.ancestry | 57 | | process.Ext.code_signature.exists | 58 | | process.Ext.code_signature.status | 59 | | process.Ext.code_signature.subject_name | 60 | | process.Ext.code_signature.trusted | 61 | | process.code_signature.exists | 62 | | process.code_signature.status | 63 | | process.code_signature.subject_name | 64 | | process.code_signature.trusted | 65 | | process.command_line | 66 | | process.entity_id | 67 | | process.executable | 68 | | process.name | 69 | | process.parent.pid | 70 | | process.pid | 71 | | process.thread.id | 72 | | user.domain | 73 | | user.id | 74 | | user.name | 75 | 76 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/windows/windows_file_endpoint_unquarantine.md: -------------------------------------------------------------------------------- 1 | # Windows Malware Unquarantine 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "endpoint_unquarantine" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when Endpoint restores a file from the malware quarantine. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | agent.id | 14 | | agent.type | 15 | | agent.version | 16 | | data_stream.dataset | 17 | | data_stream.namespace | 18 | | data_stream.type | 19 | | ecs.version | 20 | | elastic.agent.id | 21 | | event.Ext.correlation.id | 22 | | event.action | 23 | | event.category | 24 | | event.created | 25 | | event.dataset | 26 | | event.id | 27 | | event.kind | 28 | | event.module | 29 | | event.outcome | 30 | | event.sequence | 31 | | event.type | 32 | | file.Ext.original.path | 33 | | file.hash.md5 | 34 | | file.hash.sha1 | 35 | | file.hash.sha256 | 36 | | file.name | 37 | | file.path | 38 | | host.architecture | 39 | | host.hostname | 40 | | host.id | 41 | | host.ip | 42 | | host.mac | 43 | | host.name | 44 | | host.os.Ext.variant | 45 | | host.os.family | 46 | | host.os.full | 47 | | host.os.kernel | 48 | | host.os.name | 49 | | host.os.platform | 50 | | host.os.type | 51 | | host.os.version | 52 | 53 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/windows/windows_file_modification.md: -------------------------------------------------------------------------------- 1 | # Windows File Modification 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "modification" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when a file is modified. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | file.Ext.entropy | 36 | | file.Ext.header_bytes | 37 | | file.Ext.monotonic_id | 38 | | file.extension | 39 | | file.hash.sha256 | 40 | | file.name | 41 | | file.path | 42 | | file.size | 43 | | host.architecture | 44 | | host.hostname | 45 | | host.id | 46 | | host.ip | 47 | | host.mac | 48 | | host.name | 49 | | host.os.Ext.variant | 50 | | host.os.family | 51 | | host.os.full | 52 | | host.os.kernel | 53 | | host.os.name | 54 | | host.os.platform | 55 | | host.os.type | 56 | | host.os.version | 57 | | message | 58 | | process.Ext.ancestry | 59 | | process.Ext.code_signature.exists | 60 | | process.Ext.code_signature.status | 61 | | process.Ext.code_signature.subject_name | 62 | | process.Ext.code_signature.trusted | 63 | | process.code_signature.exists | 64 | | process.code_signature.status | 65 | | process.code_signature.subject_name | 66 | | process.code_signature.trusted | 67 | | process.command_line | 68 | | process.entity_id | 69 | | process.executable | 70 | | process.name | 71 | | process.parent.pid | 72 | | process.pid | 73 | | process.thread.id | 74 | | user.domain | 75 | | user.id | 76 | | user.name | 77 | 78 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/windows/windows_file_open.md: -------------------------------------------------------------------------------- 1 | # Windows File Open 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "open" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when a file is opened. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | file.Ext.entropy | 36 | | file.Ext.header_bytes | 37 | | file.Ext.monotonic_id | 38 | | file.extension | 39 | | file.hash.sha256 | 40 | | file.name | 41 | | file.path | 42 | | file.size | 43 | | host.architecture | 44 | | host.hostname | 45 | | host.id | 46 | | host.ip | 47 | | host.mac | 48 | | host.name | 49 | | host.os.Ext.variant | 50 | | host.os.family | 51 | | host.os.full | 52 | | host.os.kernel | 53 | | host.os.name | 54 | | host.os.platform | 55 | | host.os.type | 56 | | host.os.version | 57 | | message | 58 | | process.Ext.ancestry | 59 | | process.Ext.code_signature.exists | 60 | | process.Ext.code_signature.status | 61 | | process.Ext.code_signature.subject_name | 62 | | process.Ext.code_signature.trusted | 63 | | process.code_signature.exists | 64 | | process.code_signature.status | 65 | | process.code_signature.subject_name | 66 | | process.code_signature.trusted | 67 | | process.command_line | 68 | | process.entity_id | 69 | | process.executable | 70 | | process.name | 71 | | process.parent.pid | 72 | | process.pid | 73 | | process.thread.id | 74 | | user.domain | 75 | | user.id | 76 | | user.name | 77 | 78 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/file/windows/windows_file_overwrite.md: -------------------------------------------------------------------------------- 1 | # Windows File Overwrite 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.file-*` 5 | - KQL: `event.action : "overwrite" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when a file is overwritten 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | file.Ext.entropy | 36 | | file.Ext.header_bytes | 37 | | file.Ext.monotonic_id | 38 | | file.extension | 39 | | file.hash.sha256 | 40 | | file.name | 41 | | file.path | 42 | | file.size | 43 | | host.architecture | 44 | | host.hostname | 45 | | host.id | 46 | | host.ip | 47 | | host.mac | 48 | | host.name | 49 | | host.os.Ext.variant | 50 | | host.os.family | 51 | | host.os.full | 52 | | host.os.kernel | 53 | | host.os.name | 54 | | host.os.platform | 55 | | host.os.type | 56 | | host.os.version | 57 | | message | 58 | | process.Ext.ancestry | 59 | | process.Ext.code_signature.exists | 60 | | process.Ext.code_signature.status | 61 | | process.Ext.code_signature.subject_name | 62 | | process.Ext.code_signature.trusted | 63 | | process.code_signature.exists | 64 | | process.code_signature.status | 65 | | process.code_signature.subject_name | 66 | | process.code_signature.trusted | 67 | | process.command_line | 68 | | process.entity_id | 69 | | process.executable | 70 | | process.name | 71 | | process.parent.pid | 72 | | process.pid | 73 | | process.thread.id | 74 | | user.domain | 75 | | user.id | 76 | | user.name | 77 | 78 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/library/macos/macos_library_load.md: -------------------------------------------------------------------------------- 1 | # Windows Library Load 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.library-*` 5 | - KQL: `event.action : "load" and event.dataset : "endpoint.events.library" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event is generated when a dynlib is loaded. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | dll.Ext.size | 24 | | dll.code_signature.exists | 25 | | dll.code_signature.subject_name | 26 | | dll.code_signature.team_id | 27 | | dll.code_signature.trusted | 28 | | dll.hash.md5 | 29 | | dll.hash.sha1 | 30 | | dll.hash.sha256 | 31 | | dll.name | 32 | | dll.path | 33 | | ecs.version | 34 | | elastic.agent.id | 35 | | event.action | 36 | | event.category | 37 | | event.created | 38 | | event.dataset | 39 | | event.id | 40 | | event.kind | 41 | | event.module | 42 | | event.outcome | 43 | | event.sequence | 44 | | event.type | 45 | | group.Ext.real.id | 46 | | group.Ext.real.name | 47 | | group.id | 48 | | group.name | 49 | | host.architecture | 50 | | host.hostname | 51 | | host.id | 52 | | host.ip | 53 | | host.mac | 54 | | host.name | 55 | | host.os.Ext.variant | 56 | | host.os.family | 57 | | host.os.full | 58 | | host.os.kernel | 59 | | host.os.name | 60 | | host.os.platform | 61 | | host.os.type | 62 | | host.os.version | 63 | | message | 64 | | process.Ext.ancestry | 65 | | process.code_signature.exists | 66 | | process.code_signature.signing_id | 67 | | process.code_signature.status | 68 | | process.code_signature.subject_name | 69 | | process.code_signature.team_id | 70 | | process.code_signature.trusted | 71 | | process.entity_id | 72 | | process.executable | 73 | | process.name | 74 | | process.pid | 75 | | user.Ext.real.id | 76 | | user.Ext.real.name | 77 | | user.id | 78 | | user.name | 79 | 80 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/metadata/metadata.md: -------------------------------------------------------------------------------- 1 | # Endpoint Metadata 2 | 3 | - OS: Linux, Windows, macOS 4 | - Data Stream: `metrics-endpoint.metadata-*` 5 | - KQL: `event.action : "endpoint_metadata" and event.dataset : "endpoint.metadata" and event.module : "endpoint"` 6 | 7 | This is a relatively small state management document that includes details about an installed Endpoint. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Endpoint.capabilities | 14 | | Endpoint.configuration.isolation | 15 | | Endpoint.policy.applied.endpoint_policy_version | 16 | | Endpoint.policy.applied.id | 17 | | Endpoint.policy.applied.name | 18 | | Endpoint.policy.applied.status | 19 | | Endpoint.policy.applied.version | 20 | | Endpoint.state.isolation | 21 | | Endpoint.state.tamper_protection | 22 | | Endpoint.status | 23 | | agent.build.original | 24 | | agent.id | 25 | | agent.type | 26 | | agent.version | 27 | | data_stream.dataset | 28 | | data_stream.namespace | 29 | | data_stream.type | 30 | | ecs.version | 31 | | elastic.agent.id | 32 | | event.action | 33 | | event.category | 34 | | event.created | 35 | | event.dataset | 36 | | event.id | 37 | | event.kind | 38 | | event.module | 39 | | event.sequence | 40 | | event.type | 41 | | host.architecture | 42 | | host.hostname | 43 | | host.id | 44 | | host.ip | 45 | | host.mac | 46 | | host.name | 47 | | host.os.Ext.variant | 48 | | host.os.family | 49 | | host.os.full | 50 | | host.os.kernel | 51 | | host.os.name | 52 | | host.os.platform | 53 | | host.os.type | 54 | | host.os.version | 55 | | message | 56 | 57 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/network/linux/linux_network_dns_lookup_result.md: -------------------------------------------------------------------------------- 1 | # Linux DNS Lookup Result 2 | 3 | - OS: Linux 4 | - Data Stream: `logs-endpoint.events.network-*` 5 | - KQL: `event.action : "lookup_result" and event.dataset : "endpoint.events.network" and event.module : "endpoint" and host.os.type : "linux"` 6 | 7 | This event is generated when results are returned for a DNS lookup request. 8 | 9 | | Field | 10 | |---| 11 | | @timestamp | 12 | | agent.id | 13 | | agent.type | 14 | | agent.version | 15 | | data_stream.dataset | 16 | | data_stream.namespace | 17 | | data_stream.type | 18 | | destination.address | 19 | | destination.ip | 20 | | destination.port | 21 | | dns.question.name | 22 | | dns.question.type | 23 | | dns.resolved_ip | 24 | | ecs.version | 25 | | elastic.agent.id | 26 | | event.action | 27 | | event.category | 28 | | event.created | 29 | | event.dataset | 30 | | event.id | 31 | | event.kind | 32 | | event.module | 33 | | event.outcome | 34 | | event.sequence | 35 | | event.type | 36 | | group.Ext.real.id | 37 | | group.Ext.real.name | 38 | | group.id | 39 | | group.name | 40 | | host.id | 41 | | host.name | 42 | | host.os.type | 43 | | message | 44 | | network.protocol | 45 | | network.transport | 46 | | process.Ext.ancestry | 47 | | process.command_line | 48 | | process.entity_id | 49 | | process.executable | 50 | | process.name | 51 | | process.parent.entity_id | 52 | | process.pid | 53 | | process.thread.capabilities.effective | 54 | | process.thread.capabilities.permitted | 55 | | source.address | 56 | | source.ip | 57 | | source.port | 58 | | user.Ext.real.id | 59 | | user.Ext.real.name | 60 | | user.id | 61 | | user.name | 62 | 63 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/network/windows/windows_network_dns_lookup_requested.md: -------------------------------------------------------------------------------- 1 | # Windows DNS Lookup Request 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.network-*` 5 | - KQL: `event.action : "lookup_requested" and event.dataset : "endpoint.events.network" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when a DNS lookup request is initiated. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | agent.id | 14 | | agent.type | 15 | | agent.version | 16 | | data_stream.dataset | 17 | | data_stream.namespace | 18 | | data_stream.type | 19 | | destination.port | 20 | | dns.Ext.options | 21 | | dns.Ext.status | 22 | | dns.question.name | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | host.architecture | 36 | | host.hostname | 37 | | host.id | 38 | | host.ip | 39 | | host.mac | 40 | | host.name | 41 | | host.os.Ext.variant | 42 | | host.os.family | 43 | | host.os.full | 44 | | host.os.kernel | 45 | | host.os.name | 46 | | host.os.platform | 47 | | host.os.type | 48 | | host.os.version | 49 | | message | 50 | | network.destination.port | 51 | | network.protocol | 52 | | process.Ext.ancestry | 53 | | process.Ext.code_signature.exists | 54 | | process.Ext.code_signature.status | 55 | | process.Ext.code_signature.subject_name | 56 | | process.Ext.code_signature.trusted | 57 | | process.code_signature.exists | 58 | | process.code_signature.status | 59 | | process.code_signature.subject_name | 60 | | process.code_signature.trusted | 61 | | process.entity_id | 62 | | process.executable | 63 | | process.name | 64 | | process.pid | 65 | | user.domain | 66 | | user.id | 67 | | user.name | 68 | 69 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/network/windows/windows_network_dns_lookup_result.md: -------------------------------------------------------------------------------- 1 | # Windows DNS Lookup Result 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.network-*` 5 | - KQL: `event.action : "lookup_result" and event.dataset : "endpoint.events.network" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when results are returned for a DNS lookup request. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | agent.id | 14 | | agent.type | 15 | | agent.version | 16 | | data_stream.dataset | 17 | | data_stream.namespace | 18 | | data_stream.type | 19 | | destination.port | 20 | | dns.Ext.options | 21 | | dns.Ext.status | 22 | | dns.question.name | 23 | | dns.resolved_ip | 24 | | ecs.version | 25 | | elastic.agent.id | 26 | | event.action | 27 | | event.category | 28 | | event.created | 29 | | event.dataset | 30 | | event.id | 31 | | event.kind | 32 | | event.module | 33 | | event.outcome | 34 | | event.sequence | 35 | | event.type | 36 | | host.architecture | 37 | | host.hostname | 38 | | host.id | 39 | | host.ip | 40 | | host.mac | 41 | | host.name | 42 | | host.os.Ext.variant | 43 | | host.os.family | 44 | | host.os.full | 45 | | host.os.kernel | 46 | | host.os.name | 47 | | host.os.platform | 48 | | host.os.type | 49 | | host.os.version | 50 | | message | 51 | | network.destination.port | 52 | | network.protocol | 53 | | process.Ext.ancestry | 54 | | process.Ext.code_signature.exists | 55 | | process.Ext.code_signature.status | 56 | | process.Ext.code_signature.subject_name | 57 | | process.Ext.code_signature.trusted | 58 | | process.code_signature.exists | 59 | | process.code_signature.status | 60 | | process.code_signature.subject_name | 61 | | process.code_signature.trusted | 62 | | process.entity_id | 63 | | process.executable | 64 | | process.name | 65 | | process.pid | 66 | | user.domain | 67 | | user.id | 68 | | user.name | 69 | 70 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/registry/windows/windows_registry_modification.md: -------------------------------------------------------------------------------- 1 | # Windows Registry Modification 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.registry-*` 5 | - KQL: `event.action : "modification" and event.dataset : "endpoint.events.registry" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when the registry is modified. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | host.architecture | 36 | | host.hostname | 37 | | host.id | 38 | | host.ip | 39 | | host.mac | 40 | | host.name | 41 | | host.os.Ext.variant | 42 | | host.os.family | 43 | | host.os.full | 44 | | host.os.kernel | 45 | | host.os.name | 46 | | host.os.platform | 47 | | host.os.type | 48 | | host.os.version | 49 | | message | 50 | | process.Ext.ancestry | 51 | | process.Ext.code_signature.exists | 52 | | process.Ext.code_signature.status | 53 | | process.Ext.code_signature.subject_name | 54 | | process.Ext.code_signature.trusted | 55 | | process.code_signature.exists | 56 | | process.code_signature.status | 57 | | process.code_signature.subject_name | 58 | | process.code_signature.trusted | 59 | | process.entity_id | 60 | | process.executable | 61 | | process.name | 62 | | process.pid | 63 | | registry.data.bytes | 64 | | registry.data.strings | 65 | | registry.data.type | 66 | | registry.hive | 67 | | registry.key | 68 | | registry.path | 69 | | registry.value | 70 | | user.domain | 71 | | user.id | 72 | | user.name | 73 | 74 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/registry/windows/windows_registry_query.md: -------------------------------------------------------------------------------- 1 | # Windows Registry Query 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.registry-*` 5 | - KQL: `event.action : "query" and event.dataset : "endpoint.events.registry" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when the Windows registry is queried. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Effective_process.entity_id | 14 | | Effective_process.executable | 15 | | Effective_process.name | 16 | | Effective_process.pid | 17 | | agent.id | 18 | | agent.type | 19 | | agent.version | 20 | | data_stream.dataset | 21 | | data_stream.namespace | 22 | | data_stream.type | 23 | | ecs.version | 24 | | elastic.agent.id | 25 | | event.action | 26 | | event.category | 27 | | event.created | 28 | | event.dataset | 29 | | event.id | 30 | | event.kind | 31 | | event.module | 32 | | event.outcome | 33 | | event.sequence | 34 | | event.type | 35 | | host.architecture | 36 | | host.hostname | 37 | | host.id | 38 | | host.ip | 39 | | host.mac | 40 | | host.name | 41 | | host.os.Ext.variant | 42 | | host.os.family | 43 | | host.os.full | 44 | | host.os.kernel | 45 | | host.os.name | 46 | | host.os.platform | 47 | | host.os.type | 48 | | host.os.version | 49 | | message | 50 | | process.Ext.ancestry | 51 | | process.Ext.code_signature.exists | 52 | | process.Ext.code_signature.status | 53 | | process.Ext.code_signature.subject_name | 54 | | process.Ext.code_signature.trusted | 55 | | process.code_signature.exists | 56 | | process.code_signature.status | 57 | | process.code_signature.subject_name | 58 | | process.code_signature.trusted | 59 | | process.entity_id | 60 | | process.executable | 61 | | process.name | 62 | | process.pid | 63 | | registry.data.type | 64 | | registry.hive | 65 | | registry.key | 66 | | registry.path | 67 | | registry.value | 68 | | user.domain | 69 | | user.id | 70 | | user.name | 71 | 72 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/security/macos/macos_security_log_on.md: -------------------------------------------------------------------------------- 1 | # macOS User Log On 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.security-*` 5 | - KQL: `event.action : "log_on" and event.dataset : "endpoint.events.security" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event is generated when a user logs on to the computer. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Target.process.Ext.authentication_id | 14 | | agent.id | 15 | | agent.type | 16 | | agent.version | 17 | | data_stream.dataset | 18 | | data_stream.namespace | 19 | | data_stream.type | 20 | | ecs.version | 21 | | elastic.agent.id | 22 | | event.action | 23 | | event.category | 24 | | event.code | 25 | | event.created | 26 | | event.dataset | 27 | | event.id | 28 | | event.kind | 29 | | event.module | 30 | | event.outcome | 31 | | event.sequence | 32 | | event.type | 33 | | host.architecture | 34 | | host.hostname | 35 | | host.id | 36 | | host.ip | 37 | | host.mac | 38 | | host.name | 39 | | host.os.Ext.variant | 40 | | host.os.family | 41 | | host.os.full | 42 | | host.os.kernel | 43 | | host.os.name | 44 | | host.os.platform | 45 | | host.os.type | 46 | | host.os.version | 47 | | message | 48 | | process.Ext.ancestry | 49 | | process.Ext.authentication_id | 50 | | process.Ext.code_signature.exists | 51 | | process.Ext.code_signature.status | 52 | | process.Ext.code_signature.subject_name | 53 | | process.Ext.code_signature.trusted | 54 | | process.Ext.session_info.logon_type | 55 | | process.code_signature.exists | 56 | | process.code_signature.signing_id | 57 | | process.code_signature.status | 58 | | process.code_signature.subject_name | 59 | | process.code_signature.team_id | 60 | | process.code_signature.trusted | 61 | | process.entity_id | 62 | | process.executable | 63 | | process.name | 64 | | process.pid | 65 | | user.domain | 66 | | user.effective.domain | 67 | | user.effective.email | 68 | | user.effective.full_name | 69 | | user.effective.hash | 70 | | user.effective.id | 71 | | user.effective.name | 72 | | user.id | 73 | | user.name | 74 | 75 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/security/macos/macos_security_rdp_log_on.md: -------------------------------------------------------------------------------- 1 | # macOS Screensharing Log On 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.security-*` 5 | - KQL: `event.action : "rdp_log_on" and event.dataset : "endpoint.events.security" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event is generated when a user logs on to the computer with screensharing. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Target.process.Ext.authentication_id | 14 | | agent.id | 15 | | agent.type | 16 | | agent.version | 17 | | data_stream.dataset | 18 | | data_stream.namespace | 19 | | data_stream.type | 20 | | ecs.version | 21 | | elastic.agent.id | 22 | | event.action | 23 | | event.category | 24 | | event.code | 25 | | event.created | 26 | | event.dataset | 27 | | event.id | 28 | | event.kind | 29 | | event.module | 30 | | event.outcome | 31 | | event.sequence | 32 | | event.type | 33 | | host.architecture | 34 | | host.hostname | 35 | | host.id | 36 | | host.ip | 37 | | host.mac | 38 | | host.name | 39 | | host.os.Ext.variant | 40 | | host.os.family | 41 | | host.os.full | 42 | | host.os.kernel | 43 | | host.os.name | 44 | | host.os.platform | 45 | | host.os.type | 46 | | host.os.version | 47 | | message | 48 | | process.Ext.ancestry | 49 | | process.Ext.authentication_id | 50 | | process.Ext.code_signature.exists | 51 | | process.Ext.code_signature.status | 52 | | process.Ext.code_signature.subject_name | 53 | | process.Ext.code_signature.trusted | 54 | | process.Ext.session_info.logon_type | 55 | | process.code_signature.exists | 56 | | process.code_signature.signing_id | 57 | | process.code_signature.status | 58 | | process.code_signature.subject_name | 59 | | process.code_signature.team_id | 60 | | process.code_signature.trusted | 61 | | process.entity_id | 62 | | process.executable | 63 | | process.name | 64 | | process.pid | 65 | | user.domain | 66 | | user.effective.domain | 67 | | user.effective.email | 68 | | user.effective.full_name | 69 | | user.effective.hash | 70 | | user.effective.id | 71 | | user.effective.name | 72 | | user.id | 73 | | user.name | 74 | 75 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/security/macos/macos_security_ssh_log_on.md: -------------------------------------------------------------------------------- 1 | # macOS SSH Log On 2 | 3 | - OS: macOS 4 | - Data Stream: `logs-endpoint.events.security-*` 5 | - KQL: `event.action : "ssh_log_on" and event.dataset : "endpoint.events.security" and event.module : "endpoint" and host.os.type : "macos"` 6 | 7 | This event is generated when a user logs on to the computer with SSH. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Target.process.Ext.authentication_id | 14 | | agent.id | 15 | | agent.type | 16 | | agent.version | 17 | | data_stream.dataset | 18 | | data_stream.namespace | 19 | | data_stream.type | 20 | | ecs.version | 21 | | elastic.agent.id | 22 | | event.action | 23 | | event.category | 24 | | event.code | 25 | | event.created | 26 | | event.dataset | 27 | | event.id | 28 | | event.kind | 29 | | event.module | 30 | | event.outcome | 31 | | event.sequence | 32 | | event.type | 33 | | host.architecture | 34 | | host.hostname | 35 | | host.id | 36 | | host.ip | 37 | | host.mac | 38 | | host.name | 39 | | host.os.Ext.variant | 40 | | host.os.family | 41 | | host.os.full | 42 | | host.os.kernel | 43 | | host.os.name | 44 | | host.os.platform | 45 | | host.os.type | 46 | | host.os.version | 47 | | message | 48 | | process.Ext.ancestry | 49 | | process.Ext.authentication_id | 50 | | process.Ext.code_signature.exists | 51 | | process.Ext.code_signature.status | 52 | | process.Ext.code_signature.subject_name | 53 | | process.Ext.code_signature.trusted | 54 | | process.Ext.session_info.logon_type | 55 | | process.code_signature.exists | 56 | | process.code_signature.signing_id | 57 | | process.code_signature.status | 58 | | process.code_signature.subject_name | 59 | | process.code_signature.team_id | 60 | | process.code_signature.trusted | 61 | | process.entity_id | 62 | | process.executable | 63 | | process.name | 64 | | process.pid | 65 | | user.domain | 66 | | user.effective.domain | 67 | | user.effective.email | 68 | | user.effective.full_name | 69 | | user.effective.hash | 70 | | user.effective.id | 71 | | user.effective.name | 72 | | user.id | 73 | | user.name | 74 | 75 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/security/windows/windows_security_log_off.md: -------------------------------------------------------------------------------- 1 | # Windows User Log Off 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.security-*` 5 | - KQL: `event.action : "log_off" and event.dataset : "endpoint.events.security" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when a user logs off of the computer. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Target.process.Ext.authentication_id | 14 | | agent.id | 15 | | agent.type | 16 | | agent.version | 17 | | data_stream.dataset | 18 | | data_stream.namespace | 19 | | data_stream.type | 20 | | ecs.version | 21 | | elastic.agent.id | 22 | | event.action | 23 | | event.category | 24 | | event.code | 25 | | event.created | 26 | | event.dataset | 27 | | event.id | 28 | | event.kind | 29 | | event.module | 30 | | event.outcome | 31 | | event.sequence | 32 | | event.type | 33 | | host.architecture | 34 | | host.hostname | 35 | | host.id | 36 | | host.ip | 37 | | host.mac | 38 | | host.name | 39 | | host.os.Ext.variant | 40 | | host.os.family | 41 | | host.os.full | 42 | | host.os.kernel | 43 | | host.os.name | 44 | | host.os.platform | 45 | | host.os.type | 46 | | host.os.version | 47 | | message | 48 | | process.Ext.ancestry | 49 | | process.Ext.code_signature.exists | 50 | | process.Ext.code_signature.status | 51 | | process.Ext.code_signature.subject_name | 52 | | process.Ext.code_signature.trusted | 53 | | process.Ext.session_info.logon_type | 54 | | process.code_signature.exists | 55 | | process.code_signature.status | 56 | | process.code_signature.subject_name | 57 | | process.code_signature.trusted | 58 | | process.entity_id | 59 | | process.executable | 60 | | user.domain | 61 | | user.effective.domain | 62 | | user.effective.email | 63 | | user.effective.full_name | 64 | | user.effective.hash | 65 | | user.effective.id | 66 | | user.effective.name | 67 | | user.id | 68 | | user.name | 69 | 70 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/security/windows/windows_security_log_on.md: -------------------------------------------------------------------------------- 1 | # Windows User Log On 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.security-*` 5 | - KQL: `event.action : "log_on" and event.dataset : "endpoint.events.security" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when a user logs on to the computer. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | Target.process.Ext.authentication_id | 14 | | agent.id | 15 | | agent.type | 16 | | agent.version | 17 | | data_stream.dataset | 18 | | data_stream.namespace | 19 | | data_stream.type | 20 | | ecs.version | 21 | | elastic.agent.id | 22 | | event.action | 23 | | event.category | 24 | | event.code | 25 | | event.created | 26 | | event.dataset | 27 | | event.id | 28 | | event.kind | 29 | | event.module | 30 | | event.outcome | 31 | | event.sequence | 32 | | event.type | 33 | | host.architecture | 34 | | host.hostname | 35 | | host.id | 36 | | host.ip | 37 | | host.mac | 38 | | host.name | 39 | | host.os.Ext.variant | 40 | | host.os.family | 41 | | host.os.full | 42 | | host.os.kernel | 43 | | host.os.name | 44 | | host.os.platform | 45 | | host.os.type | 46 | | host.os.version | 47 | | message | 48 | | process.Ext.ancestry | 49 | | process.Ext.authentication_id | 50 | | process.Ext.code_signature.exists | 51 | | process.Ext.code_signature.status | 52 | | process.Ext.code_signature.subject_name | 53 | | process.Ext.code_signature.trusted | 54 | | process.Ext.session_info.logon_type | 55 | | process.code_signature.exists | 56 | | process.code_signature.status | 57 | | process.code_signature.subject_name | 58 | | process.code_signature.trusted | 59 | | process.entity_id | 60 | | process.executable | 61 | | process.name | 62 | | user.domain | 63 | | user.effective.domain | 64 | | user.effective.email | 65 | | user.effective.full_name | 66 | | user.effective.hash | 67 | | user.effective.id | 68 | | user.effective.name | 69 | | user.id | 70 | | user.name | 71 | | winlog.event_data.PrivilegeList | 72 | 73 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/volume_device/windows/windows_volume_device_mount.md: -------------------------------------------------------------------------------- 1 | # Windows Device Mount 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.volume_device-*` 5 | - KQL: `event.action : "mount" and event.dataset : "endpoint.events.volume_device" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when a device is mounted. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | agent.id | 14 | | agent.type | 15 | | agent.version | 16 | | data_stream.dataset | 17 | | data_stream.namespace | 18 | | data_stream.type | 19 | | ecs.version | 20 | | elastic.agent.id | 21 | | event.action | 22 | | event.category | 23 | | event.created | 24 | | event.dataset | 25 | | event.id | 26 | | event.kind | 27 | | event.module | 28 | | event.outcome | 29 | | event.sequence | 30 | | event.type | 31 | | host.architecture | 32 | | host.hostname | 33 | | host.id | 34 | | host.ip | 35 | | host.mac | 36 | | host.name | 37 | | host.os.Ext.variant | 38 | | host.os.family | 39 | | host.os.full | 40 | | host.os.kernel | 41 | | host.os.name | 42 | | host.os.platform | 43 | | host.os.type | 44 | | host.os.version | 45 | | message | 46 | | process.Ext.ancestry | 47 | | process.Ext.code_signature.exists | 48 | | process.Ext.code_signature.status | 49 | | process.Ext.code_signature.subject_name | 50 | | process.Ext.code_signature.trusted | 51 | | process.code_signature.exists | 52 | | process.code_signature.status | 53 | | process.code_signature.subject_name | 54 | | process.code_signature.trusted | 55 | | process.entity_id | 56 | | process.executable | 57 | | process.name | 58 | | process.pid | 59 | | user.domain | 60 | | user.id | 61 | | user.name | 62 | | volume.bus_type | 63 | | volume.device_type | 64 | | volume.dos_name | 65 | | volume.file_system_type | 66 | | volume.nt_name | 67 | | volume.product_name | 68 | | volume.serial_number | 69 | | volume.vendor_name | 70 | 71 | -------------------------------------------------------------------------------- /custom_documentation/doc/endpoint/volume_device/windows/windows_volume_device_unmount.md: -------------------------------------------------------------------------------- 1 | # Windows Device Unmount 2 | 3 | - OS: Windows 4 | - Data Stream: `logs-endpoint.events.volume_device-*` 5 | - KQL: `event.action : "unmount" and event.dataset : "endpoint.events.volume_device" and event.module : "endpoint" and host.os.type : "windows"` 6 | 7 | This event is generated when a device is unmounted. 8 | 9 | 10 | | Field | 11 | |---| 12 | | @timestamp | 13 | | agent.id | 14 | | agent.type | 15 | | agent.version | 16 | | data_stream.dataset | 17 | | data_stream.namespace | 18 | | data_stream.type | 19 | | ecs.version | 20 | | elastic.agent.id | 21 | | event.action | 22 | | event.category | 23 | | event.created | 24 | | event.dataset | 25 | | event.id | 26 | | event.kind | 27 | | event.module | 28 | | event.outcome | 29 | | event.sequence | 30 | | event.type | 31 | | host.architecture | 32 | | host.hostname | 33 | | host.id | 34 | | host.ip | 35 | | host.mac | 36 | | host.name | 37 | | host.os.Ext.variant | 38 | | host.os.family | 39 | | host.os.full | 40 | | host.os.kernel | 41 | | host.os.name | 42 | | host.os.platform | 43 | | host.os.type | 44 | | host.os.version | 45 | | message | 46 | | process.Ext.ancestry | 47 | | process.entity_id | 48 | | process.name | 49 | | process.pid | 50 | | user.domain | 51 | | user.id | 52 | | user.name | 53 | | volume.bus_type | 54 | | volume.device_type | 55 | | volume.dos_name | 56 | | volume.file_system_type | 57 | | volume.nt_name | 58 | | volume.product_name | 59 | | volume.serial_number | 60 | | volume.vendor_name | 61 | 62 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/api/windows/windows_api_kernel_audit.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows API 3 | description: This event is generated when ETW Microsoft-Windows-Kernel-Audit-API-Calls 4 | events are generated. 5 | identification: 6 | filter: 7 | event.dataset: endpoint.events.api 8 | event.module: endpoint 9 | event.provider: Microsoft-Windows-Kernel-Audit-API-Calls 10 | host.os.type: windows 11 | os: 12 | - windows 13 | data_stream: logs-endpoint.events.api-* 14 | fields: 15 | endpoint: 16 | - '@timestamp' 17 | - agent.id 18 | - agent.type 19 | - agent.version 20 | - data_stream.dataset 21 | - data_stream.namespace 22 | - data_stream.type 23 | - ecs.version 24 | - elastic.agent.id 25 | - event.category 26 | - event.created 27 | - event.dataset 28 | - event.id 29 | - event.kind 30 | - event.module 31 | - event.outcome 32 | - event.provider 33 | - event.sequence 34 | - event.type 35 | - host.architecture 36 | - host.hostname 37 | - host.id 38 | - host.ip 39 | - host.mac 40 | - host.name 41 | - host.os.Ext.variant 42 | - host.os.family 43 | - host.os.full 44 | - host.os.kernel 45 | - host.os.name 46 | - host.os.platform 47 | - host.os.type 48 | - host.os.version 49 | - message 50 | - process.Ext.api.behaviors 51 | - process.Ext.api.name 52 | - process.Ext.api.summary 53 | - process.Ext.code_signature.exists 54 | - process.Ext.code_signature.status 55 | - process.Ext.code_signature.subject_name 56 | - process.Ext.code_signature.trusted 57 | - process.Ext.protection 58 | - process.Ext.token.integrity_level_name 59 | - process.code_signature.exists 60 | - process.code_signature.status 61 | - process.code_signature.subject_name 62 | - process.code_signature.trusted 63 | - process.command_line 64 | - process.entity_id 65 | - process.executable 66 | - process.name 67 | - process.parent.executable 68 | - process.pid 69 | - process.thread.id 70 | - user.domain 71 | - user.id 72 | - user.name 73 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/api/windows/windows_api_tcpip.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows API 3 | description: This event is generated when ETW Microsoft-Windows-TCPIP events are 4 | generated. 5 | identification: 6 | filter: 7 | event.dataset: endpoint.events.api 8 | event.module: endpoint 9 | event.provider: Microsoft-Windows-TCPIP 10 | host.os.type: windows 11 | os: 12 | - windows 13 | data_stream: logs-endpoint.events.api-* 14 | fields: 15 | endpoint: 16 | - '@timestamp' 17 | - agent.id 18 | - agent.type 19 | - agent.version 20 | - data_stream.dataset 21 | - data_stream.namespace 22 | - data_stream.type 23 | - destination.ip 24 | - destination.port 25 | - ecs.version 26 | - elastic.agent.id 27 | - event.category 28 | - event.created 29 | - event.dataset 30 | - event.id 31 | - event.kind 32 | - event.module 33 | - event.outcome 34 | - event.provider 35 | - event.sequence 36 | - event.type 37 | - host.architecture 38 | - host.hostname 39 | - host.id 40 | - host.ip 41 | - host.mac 42 | - host.name 43 | - host.os.Ext.variant 44 | - host.os.family 45 | - host.os.full 46 | - host.os.kernel 47 | - host.os.name 48 | - host.os.platform 49 | - host.os.type 50 | - host.os.version 51 | - message 52 | - network.transport 53 | - network.type 54 | - process.Ext.api.behaviors 55 | - process.Ext.api.name 56 | - process.Ext.api.summary 57 | - process.Ext.code_signature.exists 58 | - process.Ext.code_signature.status 59 | - process.Ext.code_signature.subject_name 60 | - process.Ext.code_signature.trusted 61 | - process.Ext.protection 62 | - process.Ext.token.integrity_level_name 63 | - process.code_signature.exists 64 | - process.code_signature.status 65 | - process.code_signature.subject_name 66 | - process.code_signature.trusted 67 | - process.command_line 68 | - process.entity_id 69 | - process.executable 70 | - process.name 71 | - process.parent.executable 72 | - process.pid 73 | - process.thread.id 74 | - user.domain 75 | - user.id 76 | - user.name 77 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/linux/linux_file_create.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Linux File Create 3 | description: 'This event is generated when a file is created. 4 | 5 | ' 6 | identification: 7 | os: 8 | - linux 9 | data_stream: logs-endpoint.events.file-* 10 | filter: 11 | event.action: creation 12 | event.dataset: endpoint.events.file 13 | event.module: endpoint 14 | host.os.type: linux 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - agent.id 19 | - agent.type 20 | - agent.version 21 | - data_stream.dataset 22 | - data_stream.namespace 23 | - data_stream.type 24 | - ecs.version 25 | - elastic.agent.id 26 | - event.action 27 | - event.category 28 | - event.created 29 | - event.dataset 30 | - event.id 31 | - event.kind 32 | - event.module 33 | - event.outcome 34 | - event.sequence 35 | - event.type 36 | - file.extension 37 | - file.hash.sha256 38 | - file.name 39 | - file.path 40 | - group.Ext.real.id 41 | - group.Ext.real.name 42 | - group.id 43 | - group.name 44 | - host.architecture 45 | - host.hostname 46 | - host.id 47 | - host.ip 48 | - host.mac 49 | - host.name 50 | - host.os.Ext.variant 51 | - host.os.family 52 | - host.os.full 53 | - host.os.kernel 54 | - host.os.name 55 | - host.os.platform 56 | - host.os.type 57 | - host.os.version 58 | - message 59 | - process.Ext.ancestry 60 | - process.command_line 61 | - process.entity_id 62 | - process.entry_leader.entity_id 63 | - process.entry_leader.parent.entity_id 64 | - process.executable 65 | - process.group_leader.entity_id 66 | - process.name 67 | - process.parent.entity_id 68 | - process.pid 69 | - process.session_leader.entity_id 70 | - user.Ext.real.id 71 | - user.Ext.real.name 72 | - user.id 73 | - user.name 74 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/linux/linux_file_delete.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Linux File Delete 3 | description: 'This event is generated when a file is deleted. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: deletion 9 | event.dataset: endpoint.events.file 10 | event.module: endpoint 11 | host.os.type: linux 12 | os: 13 | - linux 14 | data_stream: logs-endpoint.events.file-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - agent.id 19 | - agent.type 20 | - agent.version 21 | - data_stream.dataset 22 | - data_stream.namespace 23 | - data_stream.type 24 | - ecs.version 25 | - elastic.agent.id 26 | - event.action 27 | - event.category 28 | - event.created 29 | - event.dataset 30 | - event.id 31 | - event.kind 32 | - event.module 33 | - event.outcome 34 | - event.sequence 35 | - event.type 36 | - file.extension 37 | - file.name 38 | - file.path 39 | - group.Ext.real.id 40 | - group.Ext.real.name 41 | - group.id 42 | - group.name 43 | - host.architecture 44 | - host.hostname 45 | - host.id 46 | - host.ip 47 | - host.mac 48 | - host.name 49 | - host.os.Ext.variant 50 | - host.os.family 51 | - host.os.full 52 | - host.os.kernel 53 | - host.os.name 54 | - host.os.platform 55 | - host.os.type 56 | - host.os.version 57 | - message 58 | - process.Ext.ancestry 59 | - process.command_line 60 | - process.entity_id 61 | - process.entry_leader.entity_id 62 | - process.entry_leader.parent.entity_id 63 | - process.executable 64 | - process.group_leader.entity_id 65 | - process.name 66 | - process.parent.entity_id 67 | - process.pid 68 | - process.session_leader.entity_id 69 | - user.Ext.real.id 70 | - user.Ext.real.name 71 | - user.id 72 | - user.name 73 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/linux/linux_file_endpoint_unquarantine.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Linux Malware Unquarantine 3 | description: 'This event is generated when Endpoint restores a file from the malware 4 | quarantine. 5 | 6 | ' 7 | identification: 8 | filter: 9 | event.action: endpoint_unquarantine 10 | event.dataset: endpoint.events.file 11 | event.module: endpoint 12 | host.os.type: linux 13 | os: 14 | - linux 15 | data_stream: logs-endpoint.events.file-* 16 | fields: 17 | endpoint: 18 | - '@timestamp' 19 | - agent.id 20 | - agent.type 21 | - agent.version 22 | - data_stream.dataset 23 | - data_stream.namespace 24 | - data_stream.type 25 | - ecs.version 26 | - elastic.agent.id 27 | - event.Ext.correlation.id 28 | - event.action 29 | - event.category 30 | - event.created 31 | - event.dataset 32 | - event.id 33 | - event.kind 34 | - event.module 35 | - event.outcome 36 | - event.sequence 37 | - event.type 38 | - file.Ext.original.path 39 | - file.hash.md5 40 | - file.hash.sha1 41 | - file.hash.sha256 42 | - file.name 43 | - file.path 44 | - host.architecture 45 | - host.hostname 46 | - host.id 47 | - host.ip 48 | - host.mac 49 | - host.name 50 | - host.os.Ext.variant 51 | - host.os.family 52 | - host.os.full 53 | - host.os.kernel 54 | - host.os.name 55 | - host.os.platform 56 | - host.os.type 57 | - host.os.version 58 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/linux/linux_file_rename.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Linux File Rename 3 | description: 'This event is generated when a file is renamed. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: rename 9 | event.dataset: endpoint.events.file 10 | event.module: endpoint 11 | host.os.type: linux 12 | os: 13 | - linux 14 | data_stream: logs-endpoint.events.file-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - agent.id 19 | - agent.type 20 | - agent.version 21 | - data_stream.dataset 22 | - data_stream.namespace 23 | - data_stream.type 24 | - ecs.version 25 | - elastic.agent.id 26 | - event.action 27 | - event.category 28 | - event.created 29 | - event.dataset 30 | - event.id 31 | - event.kind 32 | - event.module 33 | - event.outcome 34 | - event.sequence 35 | - event.type 36 | - file.Ext.original.extension 37 | - file.Ext.original.name 38 | - file.Ext.original.path 39 | - file.extension 40 | - file.hash.sha256 41 | - file.name 42 | - file.path 43 | - group.Ext.real.id 44 | - group.Ext.real.name 45 | - group.id 46 | - group.name 47 | - host.architecture 48 | - host.hostname 49 | - host.id 50 | - host.ip 51 | - host.mac 52 | - host.name 53 | - host.os.Ext.variant 54 | - host.os.family 55 | - host.os.full 56 | - host.os.kernel 57 | - host.os.name 58 | - host.os.platform 59 | - host.os.type 60 | - host.os.version 61 | - message 62 | - process.Ext.ancestry 63 | - process.command_line 64 | - process.entity_id 65 | - process.entry_leader.entity_id 66 | - process.entry_leader.parent.entity_id 67 | - process.executable 68 | - process.group_leader.entity_id 69 | - process.name 70 | - process.parent.entity_id 71 | - process.pid 72 | - process.session_leader.entity_id 73 | - user.Ext.real.id 74 | - user.Ext.real.name 75 | - user.id 76 | - user.name 77 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/macos/macos_file_access.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: macOS File Rename 3 | description: 'This event is generated when a file is accessed. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: open 9 | event.dataset: endpoint.events.file 10 | event.module: endpoint 11 | host.os.type: macos 12 | os: 13 | - macos 14 | data_stream: logs-endpoint.events.file-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - Effective_process.entity_id 19 | - Effective_process.executable 20 | - Effective_process.name 21 | - Effective_process.pid 22 | - agent.id 23 | - agent.type 24 | - agent.version 25 | - data_stream.dataset 26 | - data_stream.namespace 27 | - data_stream.type 28 | - ecs.version 29 | - elastic.agent.id 30 | - event.action 31 | - event.category 32 | - event.created 33 | - event.dataset 34 | - event.id 35 | - event.kind 36 | - event.module 37 | - event.outcome 38 | - event.sequence 39 | - event.type 40 | - file.hash.sha256 41 | - file.inode 42 | - file.name 43 | - file.path 44 | - file.size 45 | - group.Ext.real.id 46 | - group.id 47 | - host.architecture 48 | - host.hostname 49 | - host.id 50 | - host.ip 51 | - host.mac 52 | - host.name 53 | - host.os.Ext.variant 54 | - host.os.family 55 | - host.os.full 56 | - host.os.kernel 57 | - host.os.name 58 | - host.os.platform 59 | - host.os.type 60 | - host.os.version 61 | - message 62 | - process.name 63 | - process.pid 64 | - user.Ext.real.id 65 | - user.id 66 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/macos/macos_file_delete.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: macOS File Delete 3 | description: 'This event is generated when a file is deleted. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: deletion 9 | event.dataset: endpoint.events.file 10 | event.module: endpoint 11 | host.os.type: macos 12 | os: 13 | - macos 14 | data_stream: logs-endpoint.events.file-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - Effective_process.entity_id 19 | - Effective_process.executable 20 | - Effective_process.name 21 | - Effective_process.pid 22 | - agent.id 23 | - agent.type 24 | - agent.version 25 | - data_stream.dataset 26 | - data_stream.namespace 27 | - data_stream.type 28 | - ecs.version 29 | - elastic.agent.id 30 | - event.action 31 | - event.category 32 | - event.created 33 | - event.dataset 34 | - event.id 35 | - event.kind 36 | - event.module 37 | - event.outcome 38 | - event.sequence 39 | - event.type 40 | - file.extension 41 | - file.inode 42 | - file.name 43 | - file.path 44 | - file.size 45 | - group.Ext.real.id 46 | - group.Ext.real.name 47 | - group.id 48 | - group.name 49 | - host.architecture 50 | - host.hostname 51 | - host.id 52 | - host.ip 53 | - host.mac 54 | - host.name 55 | - host.os.Ext.variant 56 | - host.os.family 57 | - host.os.full 58 | - host.os.kernel 59 | - host.os.name 60 | - host.os.platform 61 | - host.os.type 62 | - host.os.version 63 | - message 64 | - process.Ext.ancestry 65 | - process.code_signature.exists 66 | - process.code_signature.signing_id 67 | - process.code_signature.status 68 | - process.code_signature.subject_name 69 | - process.code_signature.team_id 70 | - process.code_signature.trusted 71 | - process.command_line 72 | - process.entity_id 73 | - process.executable 74 | - process.name 75 | - process.parent.pid 76 | - process.pid 77 | - user.Ext.real.id 78 | - user.Ext.real.name 79 | - user.id 80 | - user.name 81 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/macos/macos_file_endpoint_unquarantine.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: macOS Malware Unquarantine 3 | description: 'This event is generated when Endpoint restores a file from the malware 4 | quarantine. 5 | 6 | ' 7 | identification: 8 | filter: 9 | event.action: endpoint_unquarantine 10 | event.dataset: endpoint.events.file 11 | event.module: endpoint 12 | host.os.type: macos 13 | os: 14 | - macos 15 | data_stream: logs-endpoint.events.file-* 16 | fields: 17 | endpoint: 18 | - '@timestamp' 19 | - agent.id 20 | - agent.type 21 | - agent.version 22 | - data_stream.dataset 23 | - data_stream.namespace 24 | - data_stream.type 25 | - ecs.version 26 | - elastic.agent.id 27 | - event.Ext.correlation.id 28 | - event.action 29 | - event.category 30 | - event.created 31 | - event.dataset 32 | - event.id 33 | - event.kind 34 | - event.module 35 | - event.outcome 36 | - event.sequence 37 | - event.type 38 | - file.Ext.original.path 39 | - file.hash.md5 40 | - file.hash.sha1 41 | - file.hash.sha256 42 | - file.name 43 | - file.path 44 | - host.architecture 45 | - host.hostname 46 | - host.id 47 | - host.ip 48 | - host.mac 49 | - host.name 50 | - host.os.Ext.variant 51 | - host.os.family 52 | - host.os.full 53 | - host.os.kernel 54 | - host.os.name 55 | - host.os.platform 56 | - host.os.type 57 | - host.os.version 58 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/macos/macos_file_extended_attributes_delete.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: macOS File Extended Attributes Delete 3 | description: 'This event is generated when extended file attributes are deleted. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: extended_attributes_delete 9 | event.dataset: endpoint.events.file 10 | event.module: endpoint 11 | host.os.type: macos 12 | os: 13 | - macos 14 | data_stream: logs-endpoint.events.file-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - Effective_process.entity_id 19 | - Effective_process.executable 20 | - Effective_process.name 21 | - Effective_process.pid 22 | - agent.id 23 | - agent.type 24 | - agent.version 25 | - data_stream.dataset 26 | - data_stream.namespace 27 | - data_stream.type 28 | - ecs.version 29 | - elastic.agent.id 30 | - event.action 31 | - event.category 32 | - event.created 33 | - event.dataset 34 | - event.id 35 | - event.kind 36 | - event.module 37 | - event.outcome 38 | - event.sequence 39 | - event.type 40 | - file.attributes 41 | - file.hash.sha256 42 | - file.inode 43 | - file.name 44 | - file.path 45 | - file.size 46 | - group.Ext.real.id 47 | - group.Ext.real.name 48 | - group.id 49 | - group.name 50 | - host.architecture 51 | - host.hostname 52 | - host.id 53 | - host.ip 54 | - host.mac 55 | - host.name 56 | - host.os.Ext.variant 57 | - host.os.family 58 | - host.os.full 59 | - host.os.kernel 60 | - host.os.name 61 | - host.os.platform 62 | - host.os.type 63 | - host.os.version 64 | - message 65 | - process.Ext.ancestry 66 | - process.code_signature.exists 67 | - process.code_signature.signing_id 68 | - process.code_signature.status 69 | - process.code_signature.subject_name 70 | - process.code_signature.team_id 71 | - process.code_signature.trusted 72 | - process.entity_id 73 | - process.executable 74 | - process.name 75 | - process.parent.pid 76 | - process.pid 77 | - user.Ext.real.id 78 | - user.Ext.real.name 79 | - user.id 80 | - user.name 81 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/macos/macos_file_launch_daemon.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: macOS Launch Daemon 3 | description: 'This event includes information about a macOS Launch Daemon. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: launch_daemon 9 | event.dataset: endpoint.events.file 10 | event.module: endpoint 11 | host.os.type: macos 12 | os: 13 | - macos 14 | data_stream: logs-endpoint.events.file-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - Effective_process.entity_id 19 | - Effective_process.executable 20 | - Effective_process.name 21 | - Effective_process.pid 22 | - Persistence.args 23 | - Persistence.keepalive 24 | - Persistence.name 25 | - Persistence.path 26 | - Persistence.runatload 27 | - agent.id 28 | - agent.type 29 | - agent.version 30 | - data_stream.dataset 31 | - data_stream.namespace 32 | - data_stream.type 33 | - ecs.version 34 | - elastic.agent.id 35 | - event.action 36 | - event.category 37 | - event.created 38 | - event.dataset 39 | - event.id 40 | - event.kind 41 | - event.module 42 | - event.outcome 43 | - event.sequence 44 | - event.type 45 | - group.Ext.real.id 46 | - group.Ext.real.name 47 | - group.id 48 | - group.name 49 | - host.architecture 50 | - host.hostname 51 | - host.id 52 | - host.ip 53 | - host.mac 54 | - host.name 55 | - host.os.Ext.variant 56 | - host.os.family 57 | - host.os.full 58 | - host.os.kernel 59 | - host.os.name 60 | - host.os.platform 61 | - host.os.type 62 | - host.os.version 63 | - message 64 | - process.Ext.ancestry 65 | - process.code_signature.exists 66 | - process.code_signature.signing_id 67 | - process.code_signature.status 68 | - process.code_signature.subject_name 69 | - process.code_signature.team_id 70 | - process.code_signature.trusted 71 | - process.entity_id 72 | - process.executable 73 | - process.name 74 | - process.pid 75 | - user.Ext.real.id 76 | - user.Ext.real.name 77 | - user.id 78 | - user.name 79 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/macos/macos_file_mount.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: macOS Mount 3 | description: 'This event is generated when a file system is mounted. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: mount 9 | event.dataset: endpoint.events.file 10 | event.module: endpoint 11 | host.os.type: macos 12 | os: 13 | - macos 14 | data_stream: logs-endpoint.events.file-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - Effective_process.entity_id 19 | - Effective_process.executable 20 | - Effective_process.name 21 | - Effective_process.pid 22 | - agent.id 23 | - agent.type 24 | - agent.version 25 | - data_stream.dataset 26 | - data_stream.namespace 27 | - data_stream.type 28 | - ecs.version 29 | - elastic.agent.id 30 | - event.action 31 | - event.category 32 | - event.created 33 | - event.dataset 34 | - event.id 35 | - event.kind 36 | - event.module 37 | - event.outcome 38 | - event.sequence 39 | - event.type 40 | - file.Ext.original.path 41 | - file.inode 42 | - file.path 43 | - group.Ext.real.id 44 | - group.Ext.real.name 45 | - group.id 46 | - group.name 47 | - host.architecture 48 | - host.hostname 49 | - host.id 50 | - host.ip 51 | - host.mac 52 | - host.name 53 | - host.os.Ext.variant 54 | - host.os.family 55 | - host.os.full 56 | - host.os.kernel 57 | - host.os.name 58 | - host.os.platform 59 | - host.os.type 60 | - host.os.version 61 | - message 62 | - process.Ext.ancestry 63 | - process.code_signature.exists 64 | - process.code_signature.signing_id 65 | - process.code_signature.status 66 | - process.code_signature.subject_name 67 | - process.code_signature.team_id 68 | - process.code_signature.trusted 69 | - process.entity_id 70 | - process.executable 71 | - process.name 72 | - process.parent.pid 73 | - process.pid 74 | - user.Ext.real.id 75 | - user.Ext.real.name 76 | - user.id 77 | - user.name 78 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/windows/windows_file_delete.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows File Delete 3 | description: 'This event is generated when a file is deleted. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: deletion 9 | event.dataset: endpoint.events.file 10 | event.module: endpoint 11 | host.os.type: windows 12 | os: 13 | - windows 14 | data_stream: logs-endpoint.events.file-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - Effective_process.entity_id 19 | - Effective_process.executable 20 | - Effective_process.name 21 | - Effective_process.pid 22 | - agent.id 23 | - agent.type 24 | - agent.version 25 | - data_stream.dataset 26 | - data_stream.namespace 27 | - data_stream.type 28 | - ecs.version 29 | - elastic.agent.id 30 | - event.action 31 | - event.category 32 | - event.created 33 | - event.dataset 34 | - event.id 35 | - event.kind 36 | - event.module 37 | - event.outcome 38 | - event.sequence 39 | - event.type 40 | - file.Ext.entropy 41 | - file.Ext.monotonic_id 42 | - file.extension 43 | - file.name 44 | - file.path 45 | - file.size 46 | - host.architecture 47 | - host.hostname 48 | - host.id 49 | - host.ip 50 | - host.mac 51 | - host.name 52 | - host.os.Ext.variant 53 | - host.os.family 54 | - host.os.full 55 | - host.os.kernel 56 | - host.os.name 57 | - host.os.platform 58 | - host.os.type 59 | - host.os.version 60 | - message 61 | - process.Ext.ancestry 62 | - process.Ext.code_signature.exists 63 | - process.Ext.code_signature.status 64 | - process.Ext.code_signature.subject_name 65 | - process.Ext.code_signature.trusted 66 | - process.code_signature.exists 67 | - process.code_signature.status 68 | - process.code_signature.subject_name 69 | - process.code_signature.trusted 70 | - process.command_line 71 | - process.entity_id 72 | - process.executable 73 | - process.name 74 | - process.parent.pid 75 | - process.pid 76 | - process.thread.id 77 | - user.domain 78 | - user.id 79 | - user.name 80 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/file/windows/windows_file_endpoint_unquarantine.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows Malware Unquarantine 3 | description: 'This event is generated when Endpoint restores a file from the malware 4 | quarantine. 5 | 6 | ' 7 | identification: 8 | filter: 9 | event.action: endpoint_unquarantine 10 | event.dataset: endpoint.events.file 11 | event.module: endpoint 12 | host.os.type: windows 13 | os: 14 | - windows 15 | data_stream: logs-endpoint.events.file-* 16 | fields: 17 | endpoint: 18 | - '@timestamp' 19 | - agent.id 20 | - agent.type 21 | - agent.version 22 | - data_stream.dataset 23 | - data_stream.namespace 24 | - data_stream.type 25 | - ecs.version 26 | - elastic.agent.id 27 | - event.Ext.correlation.id 28 | - event.action 29 | - event.category 30 | - event.created 31 | - event.dataset 32 | - event.id 33 | - event.kind 34 | - event.module 35 | - event.outcome 36 | - event.sequence 37 | - event.type 38 | - file.Ext.original.path 39 | - file.hash.md5 40 | - file.hash.sha1 41 | - file.hash.sha256 42 | - file.name 43 | - file.path 44 | - host.architecture 45 | - host.hostname 46 | - host.id 47 | - host.ip 48 | - host.mac 49 | - host.name 50 | - host.os.Ext.variant 51 | - host.os.family 52 | - host.os.full 53 | - host.os.kernel 54 | - host.os.name 55 | - host.os.platform 56 | - host.os.type 57 | - host.os.version 58 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/metadata/metadata.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Endpoint Metadata 3 | description: 'This is a relatively small state management document that includes 4 | details about an installed Endpoint. 5 | 6 | ' 7 | identification: 8 | os: 9 | - linux 10 | - macos 11 | - windows 12 | filter: 13 | event.module: endpoint 14 | event.action: endpoint_metadata 15 | event.dataset: endpoint.metadata 16 | data_stream: metrics-endpoint.metadata-* 17 | fields: 18 | endpoint: 19 | - '@timestamp' 20 | - Endpoint.capabilities 21 | - Endpoint.configuration.isolation 22 | - Endpoint.policy.applied.endpoint_policy_version 23 | - Endpoint.policy.applied.id 24 | - Endpoint.policy.applied.name 25 | - Endpoint.policy.applied.status 26 | - Endpoint.policy.applied.version 27 | - Endpoint.state.isolation 28 | - Endpoint.state.tamper_protection 29 | - Endpoint.status 30 | - agent.build.original 31 | - agent.id 32 | - agent.type 33 | - agent.version 34 | - data_stream.dataset 35 | - data_stream.namespace 36 | - data_stream.type 37 | - ecs.version 38 | - elastic.agent.id 39 | - event.action 40 | - event.category 41 | - event.created 42 | - event.dataset 43 | - event.id 44 | - event.kind 45 | - event.module 46 | - event.sequence 47 | - event.type 48 | - host.architecture 49 | - host.hostname 50 | - host.id 51 | - host.ip 52 | - host.mac 53 | - host.name 54 | - host.os.Ext.variant 55 | - host.os.family 56 | - host.os.full 57 | - host.os.kernel 58 | - host.os.name 59 | - host.os.platform 60 | - host.os.type 61 | - host.os.version 62 | - message 63 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/network/linux/linux_network_dns_lookup_result.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Linux DNS Lookup Result 3 | description: This event is generated when results are returned for a DNS lookup 4 | request. 5 | identification: 6 | filter: 7 | event.action: lookup_result 8 | event.dataset: endpoint.events.network 9 | event.module: endpoint 10 | host.os.type: linux 11 | os: 12 | - linux 13 | data_stream: logs-endpoint.events.network-* 14 | fields: 15 | endpoint: 16 | - '@timestamp' 17 | - agent.id 18 | - agent.type 19 | - agent.version 20 | - data_stream.dataset 21 | - data_stream.namespace 22 | - data_stream.type 23 | - destination.address 24 | - destination.ip 25 | - destination.port 26 | - dns.question.name 27 | - dns.question.type 28 | - dns.resolved_ip 29 | - ecs.version 30 | - elastic.agent.id 31 | - event.action 32 | - event.category 33 | - event.created 34 | - event.dataset 35 | - event.id 36 | - event.kind 37 | - event.module 38 | - event.outcome 39 | - event.sequence 40 | - event.type 41 | - group.Ext.real.id 42 | - group.Ext.real.name 43 | - group.id 44 | - group.name 45 | - host.id 46 | - host.name 47 | - host.os.type 48 | - message 49 | - network.protocol 50 | - network.transport 51 | - process.Ext.ancestry 52 | - process.command_line 53 | - process.entity_id 54 | - process.executable 55 | - process.name 56 | - process.parent.entity_id 57 | - process.pid 58 | - process.thread.capabilities.effective 59 | - process.thread.capabilities.permitted 60 | - source.address 61 | - source.ip 62 | - source.port 63 | - user.Ext.real.id 64 | - user.Ext.real.name 65 | - user.id 66 | - user.name 67 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/network/windows/windows_network_dns_lookup_requested.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows DNS Lookup Request 3 | description: 'This event is generated when a DNS lookup request is initiated. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: lookup_requested 9 | event.dataset: endpoint.events.network 10 | event.module: endpoint 11 | host.os.type: windows 12 | os: 13 | - windows 14 | data_stream: logs-endpoint.events.network-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - agent.id 19 | - agent.type 20 | - agent.version 21 | - data_stream.dataset 22 | - data_stream.namespace 23 | - data_stream.type 24 | - destination.port 25 | - dns.Ext.options 26 | - dns.Ext.status 27 | - dns.question.name 28 | - ecs.version 29 | - elastic.agent.id 30 | - event.action 31 | - event.category 32 | - event.created 33 | - event.dataset 34 | - event.id 35 | - event.kind 36 | - event.module 37 | - event.outcome 38 | - event.sequence 39 | - event.type 40 | - host.architecture 41 | - host.hostname 42 | - host.id 43 | - host.ip 44 | - host.mac 45 | - host.name 46 | - host.os.Ext.variant 47 | - host.os.family 48 | - host.os.full 49 | - host.os.kernel 50 | - host.os.name 51 | - host.os.platform 52 | - host.os.type 53 | - host.os.version 54 | - message 55 | - network.destination.port 56 | - network.protocol 57 | - process.Ext.ancestry 58 | - process.Ext.code_signature.exists 59 | - process.Ext.code_signature.status 60 | - process.Ext.code_signature.subject_name 61 | - process.Ext.code_signature.trusted 62 | - process.code_signature.exists 63 | - process.code_signature.status 64 | - process.code_signature.subject_name 65 | - process.code_signature.trusted 66 | - process.entity_id 67 | - process.executable 68 | - process.name 69 | - process.pid 70 | - user.domain 71 | - user.id 72 | - user.name 73 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/network/windows/windows_network_dns_lookup_result.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows DNS Lookup Result 3 | description: 'This event is generated when results are returned for a DNS lookup 4 | request. 5 | 6 | ' 7 | identification: 8 | filter: 9 | event.action: lookup_result 10 | event.dataset: endpoint.events.network 11 | event.module: endpoint 12 | host.os.type: windows 13 | os: 14 | - windows 15 | data_stream: logs-endpoint.events.network-* 16 | fields: 17 | endpoint: 18 | - '@timestamp' 19 | - agent.id 20 | - agent.type 21 | - agent.version 22 | - data_stream.dataset 23 | - data_stream.namespace 24 | - data_stream.type 25 | - destination.port 26 | - dns.Ext.options 27 | - dns.Ext.status 28 | - dns.question.name 29 | - dns.resolved_ip 30 | - ecs.version 31 | - elastic.agent.id 32 | - event.action 33 | - event.category 34 | - event.created 35 | - event.dataset 36 | - event.id 37 | - event.kind 38 | - event.module 39 | - event.outcome 40 | - event.sequence 41 | - event.type 42 | - host.architecture 43 | - host.hostname 44 | - host.id 45 | - host.ip 46 | - host.mac 47 | - host.name 48 | - host.os.Ext.variant 49 | - host.os.family 50 | - host.os.full 51 | - host.os.kernel 52 | - host.os.name 53 | - host.os.platform 54 | - host.os.type 55 | - host.os.version 56 | - message 57 | - network.destination.port 58 | - network.protocol 59 | - process.Ext.ancestry 60 | - process.Ext.code_signature.exists 61 | - process.Ext.code_signature.status 62 | - process.Ext.code_signature.subject_name 63 | - process.Ext.code_signature.trusted 64 | - process.code_signature.exists 65 | - process.code_signature.status 66 | - process.code_signature.subject_name 67 | - process.code_signature.trusted 68 | - process.entity_id 69 | - process.executable 70 | - process.name 71 | - process.pid 72 | - user.domain 73 | - user.id 74 | - user.name 75 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/registry/windows/windows_registry_modification.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows Registry Modification 3 | description: 'This event is generated when the registry is modified. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: modification 9 | event.dataset: endpoint.events.registry 10 | event.module: endpoint 11 | host.os.type: windows 12 | os: 13 | - windows 14 | data_stream: logs-endpoint.events.registry-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - Effective_process.entity_id 19 | - Effective_process.executable 20 | - Effective_process.name 21 | - Effective_process.pid 22 | - agent.id 23 | - agent.type 24 | - agent.version 25 | - data_stream.dataset 26 | - data_stream.namespace 27 | - data_stream.type 28 | - ecs.version 29 | - elastic.agent.id 30 | - event.action 31 | - event.category 32 | - event.created 33 | - event.dataset 34 | - event.id 35 | - event.kind 36 | - event.module 37 | - event.outcome 38 | - event.sequence 39 | - event.type 40 | - host.architecture 41 | - host.hostname 42 | - host.id 43 | - host.ip 44 | - host.mac 45 | - host.name 46 | - host.os.Ext.variant 47 | - host.os.family 48 | - host.os.full 49 | - host.os.kernel 50 | - host.os.name 51 | - host.os.platform 52 | - host.os.type 53 | - host.os.version 54 | - message 55 | - process.Ext.ancestry 56 | - process.Ext.code_signature.exists 57 | - process.Ext.code_signature.status 58 | - process.Ext.code_signature.subject_name 59 | - process.Ext.code_signature.trusted 60 | - process.code_signature.exists 61 | - process.code_signature.status 62 | - process.code_signature.subject_name 63 | - process.code_signature.trusted 64 | - process.entity_id 65 | - process.executable 66 | - process.name 67 | - process.pid 68 | - registry.data.bytes 69 | - registry.data.strings 70 | - registry.data.type 71 | - registry.hive 72 | - registry.key 73 | - registry.path 74 | - registry.value 75 | - user.domain 76 | - user.id 77 | - user.name 78 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/registry/windows/windows_registry_query.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows Registry Query 3 | description: 'This event is generated when the Windows registry is queried. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: query 9 | event.dataset: endpoint.events.registry 10 | event.module: endpoint 11 | host.os.type: windows 12 | os: 13 | - windows 14 | data_stream: logs-endpoint.events.registry-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - Effective_process.entity_id 19 | - Effective_process.executable 20 | - Effective_process.name 21 | - Effective_process.pid 22 | - agent.id 23 | - agent.type 24 | - agent.version 25 | - data_stream.dataset 26 | - data_stream.namespace 27 | - data_stream.type 28 | - ecs.version 29 | - elastic.agent.id 30 | - event.action 31 | - event.category 32 | - event.created 33 | - event.dataset 34 | - event.id 35 | - event.kind 36 | - event.module 37 | - event.outcome 38 | - event.sequence 39 | - event.type 40 | - host.architecture 41 | - host.hostname 42 | - host.id 43 | - host.ip 44 | - host.mac 45 | - host.name 46 | - host.os.Ext.variant 47 | - host.os.family 48 | - host.os.full 49 | - host.os.kernel 50 | - host.os.name 51 | - host.os.platform 52 | - host.os.type 53 | - host.os.version 54 | - message 55 | - process.Ext.ancestry 56 | - process.Ext.code_signature.exists 57 | - process.Ext.code_signature.status 58 | - process.Ext.code_signature.subject_name 59 | - process.Ext.code_signature.trusted 60 | - process.code_signature.exists 61 | - process.code_signature.status 62 | - process.code_signature.subject_name 63 | - process.code_signature.trusted 64 | - process.entity_id 65 | - process.executable 66 | - process.name 67 | - process.pid 68 | - registry.data.type 69 | - registry.hive 70 | - registry.key 71 | - registry.path 72 | - registry.value 73 | - user.domain 74 | - user.id 75 | - user.name 76 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/security/windows/windows_security_log_off.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows User Log Off 3 | description: 'This event is generated when a user logs off of the computer. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: log_off 9 | event.dataset: endpoint.events.security 10 | event.module: endpoint 11 | host.os.type: windows 12 | os: 13 | - windows 14 | data_stream: logs-endpoint.events.security-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - Target.process.Ext.authentication_id 19 | - agent.id 20 | - agent.type 21 | - agent.version 22 | - data_stream.dataset 23 | - data_stream.namespace 24 | - data_stream.type 25 | - ecs.version 26 | - elastic.agent.id 27 | - event.action 28 | - event.category 29 | - event.code 30 | - event.created 31 | - event.dataset 32 | - event.id 33 | - event.kind 34 | - event.module 35 | - event.outcome 36 | - event.sequence 37 | - event.type 38 | - host.architecture 39 | - host.hostname 40 | - host.id 41 | - host.ip 42 | - host.mac 43 | - host.name 44 | - host.os.Ext.variant 45 | - host.os.family 46 | - host.os.full 47 | - host.os.kernel 48 | - host.os.name 49 | - host.os.platform 50 | - host.os.type 51 | - host.os.version 52 | - message 53 | - process.Ext.ancestry 54 | - process.Ext.code_signature.exists 55 | - process.Ext.code_signature.status 56 | - process.Ext.code_signature.subject_name 57 | - process.Ext.code_signature.trusted 58 | - process.Ext.session_info.logon_type 59 | - process.code_signature.exists 60 | - process.code_signature.status 61 | - process.code_signature.subject_name 62 | - process.code_signature.trusted 63 | - process.entity_id 64 | - process.executable 65 | - user.domain 66 | - user.effective.domain 67 | - user.effective.email 68 | - user.effective.full_name 69 | - user.effective.hash 70 | - user.effective.id 71 | - user.effective.name 72 | - user.id 73 | - user.name 74 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/security/windows/windows_security_log_on.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows User Log On 3 | description: 'This event is generated when a user logs on to the computer. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: log_on 9 | event.dataset: endpoint.events.security 10 | event.module: endpoint 11 | host.os.type: windows 12 | os: 13 | - windows 14 | data_stream: logs-endpoint.events.security-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - Target.process.Ext.authentication_id 19 | - agent.id 20 | - agent.type 21 | - agent.version 22 | - data_stream.dataset 23 | - data_stream.namespace 24 | - data_stream.type 25 | - ecs.version 26 | - elastic.agent.id 27 | - event.action 28 | - event.category 29 | - event.code 30 | - event.created 31 | - event.dataset 32 | - event.id 33 | - event.kind 34 | - event.module 35 | - event.outcome 36 | - event.sequence 37 | - event.type 38 | - host.architecture 39 | - host.hostname 40 | - host.id 41 | - host.ip 42 | - host.mac 43 | - host.name 44 | - host.os.Ext.variant 45 | - host.os.family 46 | - host.os.full 47 | - host.os.kernel 48 | - host.os.name 49 | - host.os.platform 50 | - host.os.type 51 | - host.os.version 52 | - message 53 | - process.Ext.ancestry 54 | - process.Ext.authentication_id 55 | - process.Ext.code_signature.exists 56 | - process.Ext.code_signature.status 57 | - process.Ext.code_signature.subject_name 58 | - process.Ext.code_signature.trusted 59 | - process.Ext.session_info.logon_type 60 | - process.code_signature.exists 61 | - process.code_signature.status 62 | - process.code_signature.subject_name 63 | - process.code_signature.trusted 64 | - process.entity_id 65 | - process.executable 66 | - process.name 67 | - user.domain 68 | - user.effective.domain 69 | - user.effective.email 70 | - user.effective.full_name 71 | - user.effective.hash 72 | - user.effective.id 73 | - user.effective.name 74 | - user.id 75 | - user.name 76 | - winlog.event_data.PrivilegeList 77 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/volume_device/windows/windows_volume_device_mount.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows Device Mount 3 | description: 'This event is generated when a device is mounted. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: mount 9 | event.dataset: endpoint.events.volume_device 10 | event.module: endpoint 11 | host.os.type: windows 12 | os: 13 | - windows 14 | data_stream: logs-endpoint.events.volume_device-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - agent.id 19 | - agent.type 20 | - agent.version 21 | - data_stream.dataset 22 | - data_stream.namespace 23 | - data_stream.type 24 | - ecs.version 25 | - elastic.agent.id 26 | - event.action 27 | - event.category 28 | - event.created 29 | - event.dataset 30 | - event.id 31 | - event.kind 32 | - event.module 33 | - event.outcome 34 | - event.sequence 35 | - event.type 36 | - host.architecture 37 | - host.hostname 38 | - host.id 39 | - host.ip 40 | - host.mac 41 | - host.name 42 | - host.os.Ext.variant 43 | - host.os.family 44 | - host.os.full 45 | - host.os.kernel 46 | - host.os.name 47 | - host.os.platform 48 | - host.os.type 49 | - host.os.version 50 | - message 51 | - process.Ext.ancestry 52 | - process.Ext.code_signature.exists 53 | - process.Ext.code_signature.status 54 | - process.Ext.code_signature.subject_name 55 | - process.Ext.code_signature.trusted 56 | - process.code_signature.exists 57 | - process.code_signature.status 58 | - process.code_signature.subject_name 59 | - process.code_signature.trusted 60 | - process.entity_id 61 | - process.executable 62 | - process.name 63 | - process.pid 64 | - user.domain 65 | - user.id 66 | - user.name 67 | - volume.bus_type 68 | - volume.device_type 69 | - volume.dos_name 70 | - volume.file_system_type 71 | - volume.nt_name 72 | - volume.product_name 73 | - volume.serial_number 74 | - volume.vendor_name 75 | -------------------------------------------------------------------------------- /custom_documentation/src/endpoint/data_stream/volume_device/windows/windows_volume_device_unmount.yaml: -------------------------------------------------------------------------------- 1 | overview: 2 | name: Windows Device Unmount 3 | description: 'This event is generated when a device is unmounted. 4 | 5 | ' 6 | identification: 7 | filter: 8 | event.action: unmount 9 | event.dataset: endpoint.events.volume_device 10 | event.module: endpoint 11 | host.os.type: windows 12 | os: 13 | - windows 14 | data_stream: logs-endpoint.events.volume_device-* 15 | fields: 16 | endpoint: 17 | - '@timestamp' 18 | - agent.id 19 | - agent.type 20 | - agent.version 21 | - data_stream.dataset 22 | - data_stream.namespace 23 | - data_stream.type 24 | - ecs.version 25 | - elastic.agent.id 26 | - event.action 27 | - event.category 28 | - event.created 29 | - event.dataset 30 | - event.id 31 | - event.kind 32 | - event.module 33 | - event.outcome 34 | - event.sequence 35 | - event.type 36 | - host.architecture 37 | - host.hostname 38 | - host.id 39 | - host.ip 40 | - host.mac 41 | - host.name 42 | - host.os.Ext.variant 43 | - host.os.family 44 | - host.os.full 45 | - host.os.kernel 46 | - host.os.name 47 | - host.os.platform 48 | - host.os.type 49 | - host.os.version 50 | - message 51 | - process.Ext.ancestry 52 | - process.entity_id 53 | - process.name 54 | - process.pid 55 | - user.domain 56 | - user.id 57 | - user.name 58 | - volume.bus_type 59 | - volume.device_type 60 | - volume.dos_name 61 | - volume.file_system_type 62 | - volume.nt_name 63 | - volume.product_name 64 | - volume.serial_number 65 | - volume.vendor_name 66 | -------------------------------------------------------------------------------- /custom_schemas/custom_action_policy.yml: -------------------------------------------------------------------------------- 1 | - name: agent 2 | title: Agent 3 | type: group 4 | group: 2 5 | level: custom 6 | short: agent 7 | description: > 8 | The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. 9 | 10 | Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. 11 | fields: 12 | - name: policy.elasticAgentId 13 | title: Elastic Agent ID 14 | type: keyword 15 | level: custom 16 | short: elastic agent ID 17 | description: > 18 | The agent ID of elastic agent explicitly, even if agent.id refers to an external agent. 19 | - name: policy.integrationPolicyId 20 | title: Integration Policy ID 21 | type: keyword 22 | level: custom 23 | short: integration policy 24 | description: > 25 | The agent's integration policy ID at the time the action was initiated. 26 | - name: policy.agentPolicyId 27 | title: Agent Policy ID 28 | type: keyword 29 | level: custom 30 | short: agent policy 31 | description: > 32 | The agent's policy ID at the time the action was initiated. 33 | -------------------------------------------------------------------------------- /custom_schemas/custom_action_space.yml: -------------------------------------------------------------------------------- 1 | - name: space 2 | root: true 3 | title: Space 4 | group: 2 5 | short: Space-related fields 6 | description: > 7 | Fields to enable space-tracking in action documents 8 | type: group 9 | fields: 10 | - name: originSpaceId 11 | title: Origin Space ID 12 | type: keyword 13 | level: custom 14 | short: originating space ID 15 | description: > 16 | The space ID that the action was initiated from 17 | 18 | -------------------------------------------------------------------------------- /custom_schemas/custom_data_stream.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # NOTE this file is temporary and once ECS merges in the data_stream fields into core we should remove these 3 | - name: data_stream 4 | title: data_stream 5 | group: 2 6 | short: Fields describing the new indexing strategy 7 | description: > 8 | Fields describing the new indexing strategy -- 9 | type: group 10 | fields: 11 | - name: type 12 | level: custom 13 | type: constant_keyword 14 | description: > 15 | Data stream type. 16 | 17 | - name: dataset 18 | level: custom 19 | type: constant_keyword 20 | description: > 21 | Data stream dataset name. 22 | 23 | - name: namespace 24 | level: custom 25 | type: constant_keyword 26 | description: > 27 | Data stream namespace. 28 | -------------------------------------------------------------------------------- /custom_schemas/custom_dns.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: dns 3 | title: DNS 4 | group: 2 5 | short: Fields describing DNS queries and answers. 6 | description: > 7 | Fields describing DNS queries and answers. 8 | 9 | DNS events should either represent a single DNS query prior to getting answers 10 | (`dns.type:query`) or they should represent a full exchange and contain 11 | the query details as well as all of the answers that were provided for this 12 | query (`dns.type:answer`). 13 | type: group 14 | fields: 15 | - name: Ext 16 | level: custom 17 | type: object 18 | description: Object for all custom defined fields to live in. 19 | 20 | - name: Ext.status 21 | level: custom 22 | type: long 23 | description: DNS status field, uint32 24 | 25 | - name: Ext.options 26 | level: custom 27 | type: keyword 28 | description: DNS options field, uint64, representing as a keyword to avoid overflows in ES 29 | -------------------------------------------------------------------------------- /custom_schemas/custom_effective_process.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Effective_process 3 | title: Effective_process 4 | group: 2 5 | short: These fields contain information about an effective process. 6 | description: > 7 | These fields contain information about an effective process. 8 | 9 | The effective process is the process that requested the a specific action, without directly performing it. 10 | 11 | Processes can have effective parents that differ from their regular parents. 12 | For example, on Windows, "wmic process call create notepad" will ask WmiPrvSE.exe to launch notepad.exe. 13 | WmiPrvSE will be notepad's parent, but the wmic will be the effective parent. 14 | 15 | Events can have effective processes that differ from their regular processes. 16 | For example, on Windows, "reg add \\localhost\HKLM\Software\Foo /v Data /t REG_SZ /d 123" 17 | will result in a registry event from the Remote Registry service (svchost.exe). 18 | In this case, the effective process will be reg.exe. 19 | reusable: 20 | top_level: true 21 | expected: 22 | - { at: process.Ext, as: effective_parent } 23 | type: group 24 | 25 | fields: 26 | - name: pid 27 | level: custom 28 | type: long 29 | short: Process ID. 30 | description: > 31 | Process ID. 32 | example: 4242 33 | 34 | - name: entity_id 35 | level: custom 36 | type: keyword 37 | short: Unique identifier for the effective process. 38 | description: > 39 | Unique identifier for the effective process. 40 | example: c2c455d9f99375d 41 | 42 | - name: name 43 | level: custom 44 | type: keyword 45 | short: Process name for the effective process. 46 | description: > 47 | Process name for the effective process. 48 | example: WMIC.exe 49 | 50 | - name: executable 51 | level: custom 52 | type: keyword 53 | short: Executable name for the effective process. 54 | description: > 55 | Executable name for the effective process. 56 | example: C:\Windows\System32\wbem\WMIC.exe 57 | -------------------------------------------------------------------------------- /custom_schemas/custom_elastic.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: elastic 3 | title: Elastic 4 | group: 2 5 | description: > 6 | Holds fields and properties of data points and concepts in the elastic domain or namespace. 7 | short: > 8 | Holds fields and properties of data points and concepts in the elastic domain or namespace. 9 | type: group 10 | fields: 11 | - name: agent 12 | level: custom 13 | type: object 14 | description: > 15 | The agent fields contain data about the Elastic Agent. The Elastic Agent is the management agent 16 | that manages other agents or process on the host. 17 | short: The agent fields contain data about the Elastic Agent. 18 | 19 | - name: agent.id 20 | level: custom 21 | description: > 22 | Unique identifier of this elastic agent (if one exists). 23 | type: keyword 24 | example: c2a9093e-e289-4c0a-aa44-8c32a414fa7a 25 | -------------------------------------------------------------------------------- /custom_schemas/custom_event.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: event 3 | title: Event 4 | group: 2 5 | short: Fields breaking down the event details. 6 | description: > 7 | The event fields are used for context information about the log or metric event itself. 8 | 9 | A log is defined as an event containing details of something that happened. 10 | Log events must include the time at which the thing happened. 11 | Examples of log events include a process starting on a host, 12 | a network packet being sent from a source to a destination, 13 | or a network connection between a client and a server being initiated or closed. 14 | A metric is defined as an event containing one or more numerical measurements 15 | and the time at which the measurement was taken. Examples of metric events include 16 | memory pressure measured on a host and device temperature. 17 | See the `event.kind` definition in this section for additional details about 18 | metric and state events. 19 | type: group 20 | fields: 21 | - name: Ext 22 | level: custom 23 | type: object 24 | description: Object for all custom defined fields to live in. 25 | 26 | - name: Ext.correlation 27 | level: custom 28 | type: object 29 | description: Information about event this should be correlated with. 30 | 31 | - name: Ext.correlation.id 32 | level: custom 33 | type: keyword 34 | description: ID of event that this event is correlated to, e.g. quarantine event associated with an unquarantine event 35 | -------------------------------------------------------------------------------- /custom_schemas/custom_group.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: group 3 | title: Group 4 | group: 2 5 | short: User's group relevant to the event. 6 | description: > 7 | The group fields are meant to represent groups that are relevant to the 8 | event. 9 | type: group 10 | reusable: 11 | top_level: true 12 | expected: 13 | - at: process 14 | as: attested_groups 15 | short_override: The externally attested groups based on an external source such as the Kube API. 16 | beta: Reusing the `group` fields in this location is currently considered beta. 17 | normalize: 18 | - array 19 | fields: 20 | - name: domain 21 | level: extended 22 | type: keyword 23 | ignore_above: 1024 24 | description: 'Name of the directory the group is a member of. 25 | For example, an LDAP or Active Directory domain name.' 26 | 27 | - name: id 28 | level: extended 29 | type: keyword 30 | ignore_above: 1024 31 | description: Unique identifier for the group on the system/platform. 32 | 33 | - name: name 34 | level: extended 35 | type: keyword 36 | ignore_above: 1024 37 | description: Name of the group. 38 | 39 | - name: Ext 40 | level: custom 41 | type: object 42 | description: Object for all custom defined fields to live in. 43 | 44 | - name: Ext.real 45 | level: custom 46 | type: object 47 | description: Group info prior to any setgid operations. 48 | 49 | - name: Ext.real.id 50 | level: custom 51 | type: keyword 52 | description: > 53 | Unique identifier for the group on the system/platform. 54 | 55 | - name: Ext.real.name 56 | level: custom 57 | type: keyword 58 | description: > 59 | Name of the group. 60 | -------------------------------------------------------------------------------- /custom_schemas/custom_hash.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: hash 3 | title: Hash 4 | group: 2 5 | type: group 6 | short: Hashes, usually file hashes. 7 | description: > 8 | The hash fields represent different hash algorithms and their values. 9 | 10 | Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes 11 | by lowercasing the hash algorithm name and using underscore separators as appropriate 12 | (snake case, e.g. sha3_512). 13 | 14 | reusable: 15 | order: 1 16 | top_level: false 17 | expected: 18 | - macro.collection 19 | - macro.project_file 20 | - macro.stream 21 | - pe.Ext.streams 22 | - pe.Ext.sections 23 | -------------------------------------------------------------------------------- /custom_schemas/custom_http.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: http 3 | title: HTTP 4 | group: 2 5 | short: Fields describing an HTTP request. 6 | description: > 7 | Fields related to HTTP activity. Use the `url` field set to store the url of the request. 8 | type: group 9 | fields: 10 | - name: response.Ext 11 | level: custom 12 | type: object 13 | description: Object for all custom defined fields to live in. 14 | 15 | - name: response.Ext.version 16 | level: custom 17 | type: keyword 18 | description: > 19 | HTTP version 20 | -------------------------------------------------------------------------------- /custom_schemas/custom_malware_classification.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: malware_classification 3 | title: Malware Classification 4 | group: 2 5 | short: These fields contain the malware classification. 6 | description: > 7 | These fields contain the malware classification. 8 | reusable: 9 | order: 1 10 | top_level: false 11 | expected: 12 | - dll.Ext 13 | - process.Ext 14 | - file.Ext 15 | type: group 16 | fields: 17 | - name: score 18 | level: custom 19 | type: double 20 | description: > 21 | The score produced by the classification model. 22 | 23 | - name: threshold 24 | level: custom 25 | type: double 26 | description: > 27 | The score threshold for the model. Files that score above this threshold are considered malicious. 28 | 29 | - name: identifier 30 | level: custom 31 | type: keyword 32 | description: > 33 | The model's unique identifier. 34 | 35 | - name: version 36 | level: custom 37 | type: keyword 38 | description: > 39 | The version of the model used. 40 | 41 | - name: features.data.buffer 42 | level: custom 43 | type: keyword 44 | description: > 45 | The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. 46 | 47 | - name: features.data.decompressed_size 48 | level: custom 49 | type: integer 50 | description: > 51 | The decompressed size of buffer. 52 | 53 | - name: features.data.encoding 54 | level: custom 55 | type: keyword 56 | description: > 57 | The encoding of buffer (e.g. zlib). 58 | 59 | - name: upx_packed 60 | level: custom 61 | type: boolean 62 | description: > 63 | Whether UPX packing was detected. 64 | -------------------------------------------------------------------------------- /custom_schemas/custom_memory_protection.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Memory_protection 3 | title: Memory Protection 4 | group: 2 5 | short: These fields contain information specific to Memory Protection alerts. 6 | description: > 7 | These fields contain information specific to Memory Protection alerts. 8 | type: group 9 | fields: 10 | - name: feature 11 | level: custom 12 | type: keyword 13 | example: "shellcode_thread" 14 | description: Memory Protection feature which triggered the alert. 15 | 16 | - name: thread_count 17 | level: custom 18 | type: long 19 | short: The number of threads that this alert applies to. 20 | description: The number of threads that this alert applies to. If several alerts occur in a short period of time, they can be combined into a single alert with thread_count > 1. 21 | 22 | - name: self_injection 23 | level: custom 24 | type: boolean 25 | description: Is this alert about a process injecting into itself? 26 | 27 | - name: parent_to_child 28 | level: custom 29 | type: boolean 30 | description: Is this process injecting into its child? 31 | 32 | - name: cross_session 33 | level: custom 34 | type: boolean 35 | description: Is this process injecting across operating system sessions? 36 | 37 | - name: unique_key_v1 38 | level: custom 39 | type: keyword 40 | description: A unique key created by hashing several characteristics of this alert. 41 | 42 | - name: unique_key_v2 43 | level: custom 44 | type: keyword 45 | example: "00633d00b651c48e61a94589db67e00fd454a5a905409e38de4e48c183105f67" 46 | description: A unique key created by hashing several characteristics of this alert. 47 | -------------------------------------------------------------------------------- /custom_schemas/custom_os.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: os 3 | title: Custom OS 4 | group: 2 5 | short: TODO 6 | description: > 7 | TODO 8 | type: group 9 | reusable: 10 | top_level: false 11 | expected: 12 | - host 13 | fields: 14 | - name: full 15 | multi_fields: 16 | - name: caseless 17 | type: keyword 18 | normalizer: lowercase 19 | - name: text 20 | type: text 21 | 22 | - name: name 23 | multi_fields: 24 | - name: caseless 25 | type: keyword 26 | normalizer: lowercase 27 | - name: text 28 | type: text 29 | 30 | - name: Ext 31 | level: custom 32 | type: object 33 | description: Object for all custom defined fields to live in. 34 | 35 | # this is temporary until variant is included in ecs core https://github.com/elastic/ecs/issues/744 36 | - name: Ext.variant 37 | level: custom 38 | type: keyword 39 | description: > 40 | A string value or phrase that further aid to classify or qualify the operating system (OS). 41 | For example the distribution for a Linux OS will be entered in this field. 42 | short: A string value or phrase that further aid to classify or qualify the operating system (OS). 43 | example: Ubuntu 44 | -------------------------------------------------------------------------------- /custom_schemas/custom_pe.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: pe 3 | title: PE Header 4 | group: 2 5 | description: These fields contain Windows Portable Executable (PE) metadata. 6 | type: group 7 | reusable: 8 | order: 1 9 | expected: 10 | - at: memory_region 11 | as: mapped_pe 12 | - at: memory_region 13 | as: memory_pe 14 | fields: 15 | - name: Ext.dotnet 16 | level: custom 17 | type: boolean 18 | description: Whether this file is a .NET PE 19 | example: "true" 20 | 21 | - name: Ext.sections 22 | level: custom 23 | type: object 24 | short: The file's sections, if it is a PE 25 | description: > 26 | The file's relevant sections, if it is a PE 27 | 28 | - name: Ext.sections.name 29 | level: custom 30 | type: keyword 31 | example: ".reloc" 32 | description: > 33 | The section's name 34 | 35 | - name: Ext.sections.hash 36 | level: custom 37 | type: object 38 | description: > 39 | Hashes 40 | 41 | - name: Ext.streams 42 | level: custom 43 | type: object 44 | short: The file's streams, if it is a PE 45 | description: > 46 | The file's streams, if it is a PE 47 | 48 | - name: Ext.streams.name 49 | level: custom 50 | type: keyword 51 | example: ".reloc" 52 | description: > 53 | The stream's name 54 | 55 | - name: Ext.streams.hash 56 | level: custom 57 | type: object 58 | description: > 59 | Hashes 60 | -------------------------------------------------------------------------------- /custom_schemas/custom_persistence.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Persistence 3 | title: Persistence 4 | group: 2 5 | short: These fields contain information about persistence event. 6 | description: > 7 | These fields contain information about a Persistence event. 8 | type: group 9 | fields: 10 | - name: path 11 | level: custom 12 | type: keyword 13 | description: > 14 | The file's path 15 | - name: name 16 | level: custom 17 | type: keyword 18 | description: > 19 | The persistence item's name 20 | - name: executable 21 | level: custom 22 | type: keyword 23 | description: > 24 | The persistence item's executable 25 | - name: args 26 | level: custom 27 | type: keyword 28 | description: > 29 | Arguments used to execute the persistence item 30 | - name: runatload 31 | level: custom 32 | type: boolean 33 | description: > 34 | Run at load option boolean 35 | - name: keepalive 36 | level: custom 37 | type: boolean 38 | description: > 39 | Keep alive option boolean -------------------------------------------------------------------------------- /custom_schemas/custom_target.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Target 3 | title: Target 4 | group: 2 5 | short: These fields contain information about a target. 6 | description: > 7 | These fields contain information about a target. 8 | 9 | These fields provide more context about the target process 10 | and thread that are related to the data in the document. 11 | Useful in a security context where a target process or thread 12 | may be acted on by another process or thread. 13 | type: group 14 | fields: 15 | - name: process 16 | level: custom 17 | type: object 18 | description: > 19 | Process. 20 | 21 | - name: dll 22 | level: custom 23 | type: object 24 | description: > 25 | Dll core fieldset reused here. 26 | -------------------------------------------------------------------------------- /custom_schemas/custom_user.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: user 3 | title: User 4 | group: 2 5 | short: Fields to describe the user relevant to the event. 6 | description: > 7 | The user fields describe information about the user that is relevant 8 | to the event. 9 | 10 | Fields can have one entry or multiple entries. If a 11 | user has more than one id, provide an array that includes all of 12 | them. 13 | type: group 14 | reusable: 15 | top_level: true 16 | expected: 17 | - host 18 | - at: process 19 | as: attested_user 20 | short_override: The externally attested user based on an external source such as the Kube API. 21 | beta: Reusing the `user` fields in this location is currently considered beta. 22 | 23 | fields: 24 | - name: group 25 | level: extended 26 | type: object 27 | description: 'The group fields are meant to represent groups that are 28 | relevant to the event.' 29 | 30 | - name: Ext 31 | level: custom 32 | type: object 33 | description: Object for all custom defined fields to live in. 34 | 35 | - name: Ext.real 36 | level: custom 37 | type: object 38 | description: User info prior to any setuid operations. 39 | 40 | - name: Ext.real.id 41 | level: custom 42 | type: keyword 43 | description: > 44 | One or multiple unique identifiers of the user. 45 | 46 | - name: Ext.real.name 47 | level: custom 48 | type: keyword 49 | description: > 50 | Short name or login of the user. 51 | -------------------------------------------------------------------------------- /custom_schemas/custom_winlog.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: winlog 3 | title: Winlog 4 | group: 2 5 | short: These fields contain information about the Windows Event Log. 6 | description: > 7 | These fields provide detailed information regarding events logged in the 8 | Windows Event Log. The Windows Event Log is a centralized system used by 9 | Windows to record events related to system, application, and security 10 | activities. Each event log entry is categorized by a specific event type, 11 | and contains relevant metadata that can include the event source, event ID, 12 | timestamp, user details, and other associated data. 13 | type: group 14 | fields: 15 | - name: event_data 16 | level: custom 17 | type : object 18 | description: > 19 | The event-specific data. This is a non-exhaustive list of parameters 20 | that are used in Windows events. 21 | 22 | - name: event_data.PrivilegeList 23 | level: custom 24 | type : keyword 25 | description: > 26 | An array of sensitive privileges, assigned to the new logon. 27 | example: SeTcbPrivilege, SeSecurityPrivilege 28 | -------------------------------------------------------------------------------- /custom_subsets/README.md: -------------------------------------------------------------------------------- 1 | # Custom Subsets 2 | 3 | This directory contains the definitions for generating ecs files (templates, docs, etc). The subset format allows us to 4 | specify a subset of the ecs schema as well as custom definition to use when generating files. 5 | 6 | For example, if you wanted to create a mapping file that only contained [host.os.platform](https://github.com/elastic/ecs/blob/master/schemas/os.yml#L16) 7 | you would create a subset file as follows: 8 | 9 | ```yml 10 | host: 11 | fields: 12 | os: 13 | fields: 14 | platform: 15 | fields: "*" 16 | ``` 17 | 18 | Or this shorthand (more info on that in this PR: ) 19 | 20 | ```yml 21 | host: 22 | fields: 23 | os: 24 | fields: 25 | platform: {} 26 | ``` 27 | 28 | ## Generating the ECS files 29 | 30 | To generate the ecs files, you will need to clone the ecs repo. 31 | 32 | Once you have that cloned, you'll need to install the python package `requirements.txt` under the `scripts` directory. 33 | 34 | The [scripts/generator.py](https://github.com/elastic/ecs/blob/master/scripts/generator.py) script is used to generate 35 | the files. The scripts allows the flags: 36 | 37 | - `--out` to point to the location to write the generated files 38 | 39 | - `--include` to point to the `custom_schemas` [directory](../custom_schemas) or wherever your additional schema is located 40 | 41 | - `--subset` in glob format to point to the subset files to use 42 | 43 | ### Generating templates 44 | 45 | ```bash 46 | cd ecs 47 | python scripts/generator.py --out ../gen --include ../endpoint-app-team/custom_schemas --subset ../endpoint-app-team/custom_subsets/elastic_endpoint/events/* 48 | ``` 49 | 50 | The generated files will be in `../gen` 51 | 52 | ### Generating the schema files 53 | 54 | To generate the event schema files in [schemas](../schemas/v1) follow the instructions in the [event_schema_generator](../scripts/event_schema_generator/README.md) 55 | -------------------------------------------------------------------------------- /custom_subsets/elastic_endpoint/action_responses/action_responses.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: action_responses 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | action_id: {} 8 | completed_at: {} 9 | data: 10 | fields: "*" 11 | status: {} 12 | started_at: {} 13 | agent_id: {} 14 | EndpointActions: 15 | fields: 16 | action_id: {} 17 | completed_at: {} 18 | data: 19 | fields: "*" 20 | status: {} 21 | started_at: {} 22 | agent: 23 | fields: 24 | id: {} 25 | error: 26 | fields: 27 | code: {} 28 | id: {} 29 | message: {} 30 | stack_trace: {} 31 | type: {} 32 | data_stream: 33 | fields: "*" 34 | ecs: 35 | fields: 36 | version: {} 37 | event: 38 | fields: 39 | action: {} 40 | category: {} 41 | created: {} 42 | end: {} 43 | hash: {} 44 | id: {} 45 | ingested: {} 46 | outcome: {} 47 | start: {} 48 | type: {} 49 | -------------------------------------------------------------------------------- /custom_subsets/elastic_endpoint/actions/actions.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: actions 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | action_id: {} 8 | agents: {} 9 | data: 10 | fields: "*" 11 | expiration: {} 12 | input_type: {} 13 | type: {} 14 | user_id: {} 15 | EndpointActions: 16 | fields: 17 | action_id: {} 18 | expiration: {} 19 | input_type: {} 20 | data: 21 | fields: "*" 22 | type: {} 23 | agent: 24 | fields: 25 | id: {} 26 | policy: 27 | fields: 28 | elasticAgentId: {} 29 | integrationPolicyId: {} 30 | agentPolicyId: {} 31 | space: 32 | fields: 33 | originSpaceId: {} 34 | rule: 35 | fields: 36 | id: {} 37 | name: {} 38 | error: 39 | fields: 40 | code: {} 41 | id: {} 42 | message: {} 43 | stack_trace: {} 44 | type: {} 45 | data_stream: 46 | fields: "*" 47 | ecs: 48 | fields: 49 | version: {} 50 | event: 51 | fields: 52 | action: {} 53 | category: {} 54 | created: {} 55 | end: {} 56 | hash: {} 57 | id: {} 58 | ingested: {} 59 | outcome: {} 60 | start: {} 61 | type: {} 62 | user: 63 | fields: 64 | id: {} 65 | -------------------------------------------------------------------------------- /custom_subsets/elastic_endpoint/collection/collection.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: collection 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | data_stream: 8 | fields: "*" 9 | ecs: 10 | fields: 11 | version: {} 12 | event: 13 | fields: 14 | action: {} 15 | category: {} 16 | created: {} 17 | code: {} 18 | dataset: {} 19 | hash: {} 20 | id: {} 21 | ingested: {} 22 | kind: {} 23 | module: {} 24 | outcome: {} 25 | provider: {} 26 | sequence: {} 27 | severity: {} 28 | type: {} 29 | -------------------------------------------------------------------------------- /custom_subsets/elastic_endpoint/file/unquarantine.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: unquarantine 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | data_stream: 8 | fields: "*" 9 | ecs: 10 | fields: 11 | version: {} 12 | # these fields are needed in the mapping so the maps page of the security app does not throw a bunch of errors 13 | source: 14 | fields: 15 | geo: 16 | fields: "*" 17 | destination: 18 | fields: 19 | geo: 20 | fields: "*" 21 | host: 22 | fields: 23 | name: {} 24 | hostname: {} 25 | ip: {} 26 | mac: {} 27 | architecture: {} 28 | id: {} 29 | os: 30 | fields: 31 | platform: {} 32 | version: {} 33 | family: {} 34 | name: {} 35 | kernel: {} 36 | full: {} 37 | type: {} 38 | Ext: 39 | fields: 40 | variant: {} 41 | event: 42 | fields: 43 | action: {} 44 | category: {} 45 | created: {} 46 | dataset: {} 47 | id: {} 48 | kind: {} 49 | module: {} 50 | outcome: {} 51 | sequence: {} 52 | type: {} 53 | ingested: {} 54 | Ext: 55 | fields: 56 | correlation: 57 | fields: 58 | id: {} 59 | agent: 60 | fields: 61 | version: {} 62 | type: {} 63 | id: {} 64 | file: 65 | fields: 66 | name: {} 67 | path: {} 68 | hash: 69 | fields: 70 | md5: {} 71 | sha1: {} 72 | sha256: {} 73 | Ext: 74 | fields: 75 | original: 76 | fields: 77 | path: {} 78 | -------------------------------------------------------------------------------- /custom_subsets/elastic_endpoint/heartbeat/heartbeat.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: heartbeat 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | message: {} 8 | billable: {} 9 | agent: 10 | fields: 11 | id: {} 12 | data_stream: 13 | fields: "*" 14 | event: 15 | fields: 16 | ingested: {} 17 | -------------------------------------------------------------------------------- /custom_subsets/elastic_endpoint/metadata/metadata.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: metadata 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | data_stream: 8 | fields: "*" 9 | ecs: 10 | fields: 11 | version: {} 12 | event: 13 | fields: 14 | action: {} 15 | category: {} 16 | created: {} 17 | code: {} 18 | dataset: {} 19 | hash: {} 20 | id: {} 21 | ingested: {} 22 | kind: {} 23 | module: {} 24 | outcome: {} 25 | provider: {} 26 | sequence: {} 27 | severity: {} 28 | type: {} 29 | Endpoint: 30 | fields: 31 | status: {} 32 | policy: 33 | fields: 34 | applied: 35 | fields: 36 | id: {} 37 | status: {} 38 | name: {} 39 | configuration: 40 | fields: 41 | isolation: {} 42 | state: 43 | fields: 44 | isolation: {} 45 | capabilities: {} 46 | elastic: 47 | fields: 48 | agent: 49 | fields: 50 | id: {} 51 | agent: 52 | fields: 53 | version: {} 54 | id: {} 55 | name: {} 56 | type: {} 57 | host: 58 | fields: 59 | architecture: {} 60 | domain: {} 61 | hostname: {} 62 | id: {} 63 | ip: {} 64 | mac: {} 65 | name: {} 66 | type: {} 67 | uptime: {} 68 | os: 69 | fields: 70 | family: {} 71 | full: {} 72 | kernel: {} 73 | platform: {} 74 | version: {} 75 | name: {} 76 | type: {} 77 | Ext: 78 | fields: 79 | variant: {} 80 | -------------------------------------------------------------------------------- /custom_subsets/elastic_endpoint/metrics/metrics.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: metrics 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | message: {} 8 | agent: 9 | fields: 10 | version: {} 11 | type: {} 12 | id: {} 13 | data_stream: 14 | fields: "*" 15 | ecs: 16 | fields: 17 | version: {} 18 | Endpoint: 19 | fields: 20 | metrics: 21 | fields: "*" 22 | host: 23 | fields: 24 | architecture: {} 25 | domain: {} 26 | hostname: {} 27 | id: {} 28 | ip: {} 29 | mac: {} 30 | name: {} 31 | type: {} 32 | uptime: {} 33 | os: 34 | fields: 35 | family: {} 36 | full: {} 37 | kernel: {} 38 | platform: {} 39 | version: {} 40 | name: {} 41 | type: {} 42 | Ext: 43 | fields: 44 | variant: {} 45 | event: 46 | fields: 47 | action: {} 48 | category: {} 49 | created: {} 50 | code: {} 51 | dataset: {} 52 | end: {} 53 | hash: {} 54 | id: {} 55 | ingested: {} 56 | kind: {} 57 | module: {} 58 | outcome: {} 59 | provider: {} 60 | sequence: {} 61 | severity: {} 62 | start: {} 63 | type: {} 64 | -------------------------------------------------------------------------------- /custom_subsets/elastic_endpoint/policy/policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: policy 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | message: {} 8 | agent: 9 | fields: 10 | version: {} 11 | type: {} 12 | id: {} 13 | build: 14 | fields: 15 | original: {} 16 | data_stream: 17 | fields: "*" 18 | ecs: 19 | fields: 20 | version: {} 21 | Endpoint: 22 | fields: 23 | policy: 24 | fields: 25 | applied: 26 | fields: "*" 27 | configuration: 28 | fields: 29 | isolation: {} 30 | state: 31 | fields: 32 | isolation: {} 33 | event: 34 | fields: 35 | action: {} 36 | category: {} 37 | created: {} 38 | code: {} 39 | dataset: {} 40 | hash: {} 41 | id: {} 42 | ingested: {} 43 | kind: {} 44 | module: {} 45 | outcome: {} 46 | provider: {} 47 | sequence: {} 48 | severity: {} 49 | type: {} 50 | host: 51 | fields: 52 | id: {} 53 | ip: {} 54 | hostname: {} 55 | name: {} 56 | mac: {} 57 | architecture: {} 58 | os: 59 | fields: 60 | name: {} 61 | platform: {} 62 | family: {} 63 | kernel: {} 64 | full: {} 65 | version: {} 66 | type: {} 67 | Ext: 68 | fields: 69 | variant: {} 70 | -------------------------------------------------------------------------------- /custom_subsets/legacy/alert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: alert 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | labels: {} 8 | message: {} 9 | # data.alert_details.acting_process.unique_pid 10 | endgame: 11 | fields: 12 | data: 13 | fields: 14 | alert_details: 15 | fields: 16 | acting_process: 17 | fields: 18 | unique_pid: {} 19 | serial_event_id: {} 20 | -------------------------------------------------------------------------------- /custom_subsets/legacy/dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: dns 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | labels: {} 8 | message: {} 9 | host: 10 | fields: 11 | os: 12 | fields: 13 | platform: {} 14 | name: {} 15 | version: {} 16 | ip: {} 17 | hostname: {} 18 | name: {} 19 | event: 20 | fields: 21 | id: {} 22 | module: {} 23 | dataset: {} 24 | action: {} 25 | kind: {} 26 | category: {} 27 | type: {} 28 | agent: 29 | fields: 30 | version: {} 31 | type: {} 32 | id: {} 33 | network: 34 | fields: 35 | transport: {} 36 | protocol: {} 37 | community_id: {} 38 | bytes: {} 39 | packets: {} 40 | source: 41 | fields: 42 | address: {} 43 | ip: {} 44 | port: {} 45 | bytes: {} 46 | packets: {} 47 | destination: 48 | fields: 49 | address: {} 50 | ip: {} 51 | port: {} 52 | bytes: {} 53 | packets: {} 54 | dns: 55 | fields: 56 | question: 57 | fields: 58 | name: {} 59 | type: {} 60 | registered_domain: {} 61 | resolved_ip: {} 62 | endgame: 63 | fields: 64 | serial_event_id: {} 65 | opcode: {} 66 | event_type_full: {} 67 | event_subtype_full: {} 68 | timestamp: {} 69 | timestamp_utc: {} 70 | event_message: {} 71 | unknown_properties: {} 72 | pid: {} 73 | process_path: {} 74 | process_name: {} 75 | unique_pid: {} 76 | user_name: {} 77 | user_domain: {} 78 | user_sid: {} 79 | tid: {} 80 | real_user_name: {} 81 | effective_user_name: {} 82 | real_group_name: {} 83 | effective_group_name: {} 84 | real_uid: {} 85 | effective_uid: {} 86 | real_gid: {} 87 | effective_gid: {} 88 | query_name: {} 89 | event_id: {} 90 | query_type: {} 91 | query_status: {} 92 | query_options: {} 93 | query_results: {} 94 | -------------------------------------------------------------------------------- /custom_subsets/legacy/file.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: file 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | labels: {} 8 | message: {} 9 | host: 10 | fields: 11 | os: 12 | fields: 13 | platform: {} 14 | name: {} 15 | version: {} 16 | ip: {} 17 | hostname: {} 18 | name: {} 19 | event: 20 | fields: 21 | id: {} 22 | module: {} 23 | dataset: {} 24 | action: {} 25 | kind: {} 26 | category: {} 27 | type: {} 28 | agent: 29 | fields: 30 | version: {} 31 | type: {} 32 | id: {} 33 | 34 | endgame: 35 | fields: 36 | serial_event_id: {} 37 | opcode: {} 38 | event_type_full: {} 39 | event_subtype_full: {} 40 | timestamp: {} 41 | timestamp_utc: {} 42 | event_message: {} 43 | unknown_properties: {} 44 | pid: {} 45 | process_path: {} 46 | process_name: {} 47 | unique_pid: {} 48 | user_name: {} 49 | user_domain: {} 50 | user_sid: {} 51 | tid: {} 52 | real_user_name: {} 53 | effective_user_name: {} 54 | real_group_name: {} 55 | effective_group_name: {} 56 | real_uid: {} 57 | effective_uid: {} 58 | real_gid: {} 59 | effective_gid: {} 60 | # end of generic stuff 61 | file_path: {} 62 | file_name: {} 63 | md5: {} 64 | sha1: {} 65 | sha256: {} 66 | old_file_path: {} 67 | old_file_name: {} 68 | create_disposition: {} 69 | desired_access: {} 70 | create_options: {} 71 | share_mode: {} 72 | file_attributes: {} 73 | zone_id: {} 74 | other_file_path: {} 75 | fileid: {} 76 | parent_pid: {} 77 | file_mode: {} 78 | -------------------------------------------------------------------------------- /custom_subsets/legacy/imageload.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: imageload 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | labels: {} 8 | message: {} 9 | host: 10 | fields: 11 | os: 12 | fields: 13 | platform: {} 14 | name: {} 15 | version: {} 16 | ip: {} 17 | hostname: {} 18 | name: {} 19 | event: 20 | fields: 21 | id: {} 22 | module: {} 23 | dataset: {} 24 | action: {} 25 | kind: {} 26 | category: {} 27 | type: {} 28 | agent: 29 | fields: 30 | version: {} 31 | type: {} 32 | id: {} 33 | endgame: 34 | fields: 35 | serial_event_id: {} 36 | opcode: {} 37 | event_type_full: {} 38 | event_subtype_full: {} 39 | timestamp: {} 40 | timestamp_utc: {} 41 | event_message: {} 42 | unknown_properties: {} 43 | pid: {} 44 | process_path: {} 45 | process_name: {} 46 | unique_pid: {} 47 | user_name: {} 48 | user_domain: {} 49 | user_sid: {} 50 | tid: {} 51 | real_user_name: {} 52 | effective_user_name: {} 53 | real_group_name: {} 54 | effective_group_name: {} 55 | real_uid: {} 56 | effective_uid: {} 57 | real_gid: {} 58 | effective_gid: {} 59 | # end of generic stuff 60 | 61 | image_path: {} 62 | image_name: {} 63 | md5: {} 64 | sha1: {} 65 | sha256: {} 66 | signature_signer: {} 67 | signature_status: {} 68 | file_version: {} 69 | product_version: {} 70 | original_file_name: {} 71 | -------------------------------------------------------------------------------- /custom_subsets/legacy/registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: registry 3 | fields: 4 | base: 5 | fields: 6 | "@timestamp": {} 7 | labels: {} 8 | message: {} 9 | host: 10 | fields: 11 | os: 12 | fields: 13 | platform: {} 14 | name: {} 15 | version: {} 16 | ip: {} 17 | hostname: {} 18 | name: {} 19 | event: 20 | fields: 21 | id: {} 22 | module: {} 23 | dataset: {} 24 | action: {} 25 | kind: {} 26 | category: {} 27 | type: {} 28 | agent: 29 | fields: 30 | version: {} 31 | type: {} 32 | id: {} 33 | endgame: 34 | fields: 35 | serial_event_id: {} 36 | opcode: {} 37 | event_type_full: {} 38 | event_subtype_full: {} 39 | timestamp: {} 40 | timestamp_utc: {} 41 | event_message: {} 42 | unknown_properties: {} 43 | pid: {} 44 | process_path: {} 45 | process_name: {} 46 | unique_pid: {} 47 | user_name: {} 48 | user_domain: {} 49 | user_sid: {} 50 | tid: {} 51 | real_user_name: {} 52 | effective_user_name: {} 53 | real_group_name: {} 54 | effective_group_name: {} 55 | real_uid: {} 56 | effective_uid: {} 57 | real_gid: {} 58 | effective_gid: {} 59 | # end of generic stuff 60 | key_path: {} 61 | key_type: {} 62 | bytes_written_count: {} 63 | bytes_written: {} 64 | bytes_written_u32: {} 65 | bytes_written_u64: {} 66 | bytes_written_string: {} 67 | bytes_written_string_list: {} 68 | -------------------------------------------------------------------------------- /doc_templates/endpoint/docs/CustomDocumentation.md: -------------------------------------------------------------------------------- 1 | # {{overview_name}} 2 | 3 | - OS: {{identification_os}} 4 | - Data Stream: `{{identification_data_stream}}` 5 | - KQL: `{{identification_kql}}` 6 | 7 | {{overview_description}} 8 | 9 | {{fields}} 10 | -------------------------------------------------------------------------------- /doc_templates/endpoint/docs/CustomDocumentationREADME.md: -------------------------------------------------------------------------------- 1 | ## Endpoint Event Documentation 2 | 3 | **This documentation is still beta** 4 | 5 | The subdirectories document all ECS fields that may exist in documents generated by Endpoint into 6 | logs and metrics datastreams. Only fields included by Endpoint are documented, those added during 7 | integration pipeline enrichment in Elasticsearch are not within the scope of this documentation. 8 | 9 | Endpoint state management documents are described in a cross-platform way because they are largely 10 | identical on each OS. Events are documented per-OS. Documentation for each state management or event 11 | document includes the relevant OS(es), the data stream the document is found in, a KQL filter to 12 | match on the document, and all the fields associated with the document. 13 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | # This should start the environment with the latest snapshots. 2 | 3 | version: "3.8" 4 | services: 5 | package-registry: 6 | # to use the latest package-registry alone you can use: docker.elastic.co/package-registry/package-registry:master 7 | environment: 8 | - EPR_FEATURE_PROXY_MODE=true 9 | image: docker.elastic.co/package-registry/package-registry:main 10 | volumes: 11 | - ./package-registry.config.yml:/package-registry/config.yml 12 | - ./out/packages:/packages/endpoint-package 13 | ports: 14 | - "127.0.0.1:8080:8080" 15 | -------------------------------------------------------------------------------- /docs/token_repo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/endpoint-package/a905be572b29e3a4b16392e7ba10dc6e85071e39/docs/token_repo.png -------------------------------------------------------------------------------- /docs/token_user.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/endpoint-package/a905be572b29e3a4b16392e7ba10dc6e85071e39/docs/token_user.png -------------------------------------------------------------------------------- /package-registry.config.yml: -------------------------------------------------------------------------------- 1 | package_paths: 2 | - /packages/endpoint-package 3 | dev_mode: true 4 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/action_responses/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/action_responses/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/action_responses/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:49.026381581Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/action_responses/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/action_responses/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Action Responses 2 | type: logs 3 | dataset: endpoint.action.responses 4 | hidden: true 5 | elasticsearch: 6 | index_template: 7 | mappings: 8 | dynamic: false 9 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/action_responses/sample_event.json: -------------------------------------------------------------------------------- 1 | { 2 | "EndpointActions": { 3 | "completed_at": "2022-04-04T20:44:14.0Z", 4 | "data": { 5 | "comment": "Action completed successfully", 6 | "command": "isolate" 7 | }, 8 | "action_id": "cfa1d245-24ad-4867-8043-475d4ee2a111", 9 | "started_at": "2022-04-04T20:44:08.0Z" 10 | }, 11 | "agent": { 12 | "id": "c8cad7f3-9e62-43d0-94ed-8c51670fae62" 13 | }, 14 | "@timestamp": "2022-04-04T20:44:14.0Z", 15 | "data_stream": { 16 | "namespace": "default", 17 | "type": ".logs", 18 | "dataset": "endpoint.action.responses" 19 | }, 20 | "event": { 21 | "agent_id_status": "verified", 22 | "ingested": "2022-04-04T20:44:45Z" 23 | } 24 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/actions/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/actions/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/actions/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:49.144955257Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/actions/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/actions/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Actions 2 | type: logs 3 | dataset: endpoint.actions 4 | hidden: true 5 | elasticsearch: 6 | index_template: 7 | mappings: 8 | dynamic: false 9 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/actions/sample_event.json: -------------------------------------------------------------------------------- 1 | { 2 | "EndpointActions": { 3 | "data": { 4 | "comment": "testing isolation", 5 | "command": "isolate" 6 | }, 7 | "action_id": "cfa1d245-24ad-4867-8043-475d4ee2a111", 8 | "input_type": "endpoint", 9 | "expiration": "2022-04-18T20:44:07.805Z", 10 | "type": "INPUT_ACTION" 11 | }, 12 | "agent": { 13 | "id": [ 14 | "c8cad7f3-9e62-43d0-94ed-8c51670fae62" 15 | ], 16 | "policy": [ 17 | { 18 | "agentId": "ff1a47b4-71ed-4cbf-ad7f-55203358850d", 19 | "elasticAgentId": "1e2f91a1-1946-460d-b885-af983d964ea3", 20 | "integrationPolicyId": "645fe9a9-2afd-4b4b-a2d7-38ee21e0f19d", 21 | "agentPolicyId": "e9734d0c-1816-4d68-8d9a-84418a850927" 22 | }, 23 | { 24 | "agentId": "a756f3f4-c974-4d44-84f5-ba02a954cd55", 25 | "elasticAgentId": "20ceb5f6-4e15-4db5-9494-f47f589de33f", 26 | "integrationPolicyId": "1f297497-14d4-4bf5-9d26-7c5e629e1d62", 27 | "agentPolicyId": "100a3ee3-5304-4fc9-b495-e0022178a2f3" 28 | } 29 | ] 30 | }, 31 | "originSpaceId": "b88dae77-9037-459b-be31-efefa6788362", 32 | "@timestamp": "2022-04-04T20:44:07.805Z", 33 | "event": { 34 | "agent_id_status": "auth_metadata_missing", 35 | "ingested": "2022-04-04T20:44:07Z" 36 | }, 37 | "user": { 38 | "id": "user@elastic.co" 39 | } 40 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/alerts/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/alerts/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/alerts/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:49.230947139Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/alerts/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/alerts/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Alerts 2 | type: logs 3 | elasticsearch: 4 | index_template: 5 | settings: 6 | index: 7 | mapping: 8 | nested_fields: 9 | limit: 80 10 | total_fields: 11 | limit: 5000 12 | mappings: 13 | dynamic: false 14 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/api/_dev/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/api/_dev/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/api/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/api/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint API Events 2 | type: logs 3 | dataset: endpoint.events.api 4 | elasticsearch: 5 | index_template: 6 | mappings: 7 | dynamic: false 8 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/collection/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/collection/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/collection/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:49.394734536Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/collection/elasticsearch/ilm/diagnostic.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": { 3 | "phases": { 4 | "hot": { 5 | "min_age": "0ms", 6 | "actions": { 7 | "rollover": { 8 | "max_size": "1gb", 9 | "max_age": "7d", 10 | "max_docs": 10000 11 | } 12 | } 13 | }, 14 | "delete": { 15 | "min_age": "10m", 16 | "actions": { 17 | "delete": {} 18 | } 19 | } 20 | } 21 | } 22 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/collection/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/collection/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Alert Collection 2 | type: logs 3 | dataset: endpoint.diagnostic.collection 4 | hidden: true 5 | ilm_policy: logs-endpoint.collection-diagnostic 6 | elasticsearch: 7 | index_template: 8 | mappings: 9 | dynamic: false 10 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/file/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/file/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/file/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:49.534244330Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/file/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/file/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint File Events 2 | type: logs 3 | dataset: endpoint.events.file 4 | elasticsearch: 5 | index_template: 6 | mappings: 7 | dynamic: false 8 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/heartbeat/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/heartbeat/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Heartbeat 2 | type: logs 3 | dataset: endpoint.heartbeat 4 | hidden: true 5 | elasticsearch: 6 | index_template: 7 | mappings: 8 | dynamic: false 9 | settings: 10 | index: 11 | sort: 12 | field: 13 | - event.ingested 14 | order: 15 | - desc 16 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/heartbeat/sample_event.json: -------------------------------------------------------------------------------- 1 | { 2 | "@timestamp": "2023-07-18T20:40:09.279939Z", 3 | "agent": { 4 | "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" 5 | }, 6 | "data_stream": { 7 | "dataset": "endpoint.heartbeat", 8 | "namespace": "default", 9 | "type": ".logs" 10 | }, 11 | "message": "Endpoint heartbeat", 12 | "event": { 13 | "ingested": "2023-07-18T20:40:09.279939Z" 14 | }, 15 | "billable": true 16 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/library/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/library/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/library/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:49.668565371Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/library/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/library/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Library and Driver Events 2 | type: logs 3 | dataset: endpoint.events.library 4 | elasticsearch: 5 | index_template: 6 | mappings: 7 | dynamic: false 8 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/metadata/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/metadata/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/metadata/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:49.805612065Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/metadata/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/metadata/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Metadata 2 | type: metrics 3 | elasticsearch: 4 | index_template: 5 | mappings: 6 | dynamic: false 7 | settings: 8 | index: 9 | sort: 10 | field: 11 | - "@timestamp" 12 | - agent.id 13 | order: 14 | - desc 15 | - asc 16 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/metrics/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/metrics/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/metrics/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:49.943581943Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/metrics/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/metrics/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Metrics 2 | type: metrics 3 | elasticsearch: 4 | index_template: 5 | mappings: 6 | dynamic: false 7 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/network/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/network/_dev/test/pipeline/test-dns.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | { 4 | "network": { 5 | "protocol": "dns" 6 | }, 7 | "message": "DNS query is completed for the name X type 1" 8 | }, 9 | { 10 | "network": { 11 | "protocol": "dns" 12 | }, 13 | "message": "DNS query is completed for the name X type 2" 14 | }, 15 | { 16 | "network": { 17 | "protocol": "dns" 18 | }, 19 | "message": "DNS query is completed for the name X type 5" 20 | }, 21 | { 22 | "network": { 23 | "protocol": "dns" 24 | }, 25 | "message": "DNS query is completed for the name X type 6" 26 | }, 27 | { 28 | "network": { 29 | "protocol": "dns" 30 | }, 31 | "message": "DNS query is completed for the name X type 12" 32 | }, 33 | { 34 | "network": { 35 | "protocol": "dns" 36 | }, 37 | "message": "DNS query is completed for the name X type 15" 38 | }, 39 | { 40 | "network": { 41 | "protocol": "dns" 42 | }, 43 | "message": "DNS query is completed for the name X type 16" 44 | }, 45 | { 46 | "network": { 47 | "protocol": "dns" 48 | }, 49 | "message": "DNS query is completed for the name X type 28" 50 | } 51 | ] 52 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/network/_dev/test/pipeline/test-geo.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | { 4 | "source": { 5 | "ip": "216.160.83.61" 6 | }, 7 | "destination": { 8 | "ip": "89.160.20.112" 9 | } 10 | } 11 | ] 12 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/network/_dev/test/pipeline/test-geo.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "destination": { 5 | "as": { 6 | "number": 29518, 7 | "organization": { 8 | "name": "Bredband2 AB" 9 | } 10 | }, 11 | "geo": { 12 | "city_name": "Linköping", 13 | "continent_name": "Europe", 14 | "country_iso_code": "SE", 15 | "country_name": "Sweden", 16 | "location": { 17 | "lat": 58.4167, 18 | "lon": 15.6167 19 | }, 20 | "region_iso_code": "SE-E", 21 | "region_name": "Östergötland County" 22 | }, 23 | "ip": "89.160.20.112" 24 | }, 25 | "event": { 26 | "ingested": "2022-04-07T23:49:36.792320139Z" 27 | }, 28 | "source": { 29 | "as": { 30 | "number": 209 31 | }, 32 | "geo": { 33 | "city_name": "Milton", 34 | "continent_name": "North America", 35 | "country_iso_code": "US", 36 | "country_name": "United States", 37 | "location": { 38 | "lat": 47.2513, 39 | "lon": -122.3149 40 | }, 41 | "region_iso_code": "US-WA", 42 | "region_name": "Washington" 43 | }, 44 | "ip": "216.160.83.61" 45 | } 46 | } 47 | ] 48 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/network/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/network/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T20:00:24.203245101Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/network/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Network Events 2 | type: logs 3 | dataset: endpoint.events.network 4 | elasticsearch: 5 | index_template: 6 | mappings: 7 | dynamic: false 8 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/policy/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/policy/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/policy/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:50.167553816Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/policy/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/policy/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Policy Response 2 | type: metrics 3 | elasticsearch: 4 | index_template: 5 | mappings: 6 | dynamic: false 7 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/process/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/process/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/process/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:50.224396719Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/process/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/process/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Process Events 2 | type: logs 3 | dataset: endpoint.events.process 4 | elasticsearch: 5 | index_template: 6 | mappings: 7 | dynamic: false 8 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/registry/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/registry/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/registry/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:50.314967460Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/registry/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/registry/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Registry Events 2 | type: logs 3 | dataset: endpoint.events.registry 4 | elasticsearch: 5 | index_template: 6 | mappings: 7 | dynamic: false 8 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/security/_dev/test/pipeline/test-common-config.yml: -------------------------------------------------------------------------------- 1 | dynamic_fields: 2 | 'event.ingested': ".*" 3 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/security/_dev/test/pipeline/test-ingest-timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | {} 4 | ] 5 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/security/_dev/test/pipeline/test-ingest-timestamp.json-expected.json: -------------------------------------------------------------------------------- 1 | { 2 | "expected": [ 3 | { 4 | "event": { 5 | "ingested": "2022-04-03T19:44:50.383741641Z" 6 | } 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /package/endpoint/data_stream/security/elasticsearch/ingest_pipeline/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Pipeline for setting event.ingested", 3 | "processors": [ 4 | { 5 | "set": { 6 | "field": "event.ingested", 7 | "value": "{{ _ingest.timestamp }}", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /package/endpoint/data_stream/security/manifest.yml: -------------------------------------------------------------------------------- 1 | title: Endpoint Security Events 2 | type: logs 3 | dataset: endpoint.events.security 4 | elasticsearch: 5 | index_template: 6 | mappings: 7 | dynamic: false 8 | -------------------------------------------------------------------------------- /package/endpoint/elasticsearch/transform/metadata_current/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "source": { 3 | "index": "metrics-endpoint.metadata-*", 4 | "query": { 5 | "range": { 6 | "@timestamp": { 7 | "gt": "now-90d/d" 8 | } 9 | } 10 | } 11 | }, 12 | "dest": { 13 | "index": "metrics-endpoint.metadata_current_default" 14 | }, 15 | "latest": { 16 | "unique_key": [ 17 | "elastic.agent.id" 18 | ], 19 | "sort": "@timestamp" 20 | }, 21 | "description": "Latest Endpoint metadata document per host", 22 | "_meta": { 23 | "managed": true 24 | }, 25 | "frequency": "1s", 26 | "sync": { 27 | "time": { 28 | "field": "event.ingested", 29 | "delay": "1s" 30 | } 31 | } 32 | } -------------------------------------------------------------------------------- /package/endpoint/elasticsearch/transform/metadata_united/default.json: -------------------------------------------------------------------------------- 1 | { 2 | "source": { 3 | "index": [ 4 | "metrics-endpoint.metadata_current_default*", 5 | ".fleet-agents*" 6 | ] 7 | }, 8 | "dest": { 9 | "index": ".metrics-endpoint.metadata_united_default" 10 | }, 11 | "frequency": "1s", 12 | "sync": { 13 | "time": { 14 | "delay": "4s", 15 | "field": "updated_at" 16 | } 17 | }, 18 | "pivot": { 19 | "aggs": { 20 | "united": { 21 | "scripted_metric": { 22 | "init_script": "state.docs = []", 23 | "map_script": "state.docs.add(new HashMap(params['_source']))", 24 | "combine_script": "return state.docs", 25 | "reduce_script": "def ret = new HashMap(); for (s in states) { for (d in s) { if (d.containsKey('Endpoint')) { ret.endpoint = d } else { ret.agent = d } }} return ret" 26 | } 27 | } 28 | }, 29 | "group_by": { 30 | "agent.id": { 31 | "terms": { 32 | "field": "agent.id" 33 | } 34 | } 35 | } 36 | }, 37 | "description": "Merges latest Endpoint and Agent metadata documents", 38 | "_meta": { 39 | "managed": true 40 | } 41 | } -------------------------------------------------------------------------------- /package/endpoint/img/security-logo-color-64px.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | security-logo-color-64px 5 | Created with Sketch. 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /package/endpoint/manifest.yml: -------------------------------------------------------------------------------- 1 | format_version: 3.0.0 2 | name: endpoint 3 | title: Elastic Defend 4 | description: Protect your hosts and cloud workloads with threat prevention, detection, and deep security data visibility. 5 | version: 9.1.0-prerelease.1 6 | categories: ["security", "edr_xdr"] 7 | # The package type. The options for now are [integration, input], more type might be added in the future. 8 | 9 | # The default type is integration and will be set if empty. 10 | type: integration 11 | policy_templates: 12 | - name: endpoint 13 | title: Endpoint Security Integration 14 | description: Interact with the endpoint. 15 | multiple: false 16 | conditions: 17 | kibana: 18 | version: "^9.1.0" 19 | # See https://github.com/Masterminds/semver#caret-range-comparisons-major for more details on `^` and supported versioning 20 | elastic: 21 | capabilities: ["security"] 22 | subscription: basic 23 | agent: 24 | privileges: 25 | root: true 26 | icons: 27 | - src: "/img/security-logo-color-64px.svg" 28 | size: "16x16" 29 | type: "image/svg+xml" 30 | owner: 31 | github: elastic/security-defend-workflows 32 | type: elastic 33 | -------------------------------------------------------------------------------- /schemas/README.md: -------------------------------------------------------------------------------- 1 | # Endpoint Schema 2 | 3 | This directory contains the generated schema definitions for documents stored in Elasticsearch. 4 | 5 | **These files should not be edited directly, nor should new files be added to this directory directly.** 6 | 7 | To generate these files take a look at the READMEs in [custom_schemas](../custom_schemas/README.md), 8 | [custom_subsets](../custom_subsets/README.md), 9 | and the actual script's [event_schema_generator](../scripts/event_schema_generator/README.md) 10 | -------------------------------------------------------------------------------- /schemas/examples/v1/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "@timestamp": "2020-03-03T19:08:32.74626000Z", 3 | "agent": { 4 | "id": "836977bf-9105-4667-9157-bd698e96c45d", 5 | "name": "endpoint", 6 | "version": "1.0.0-demo.20200229.4" 7 | }, 8 | "elastic": { 9 | "agent": { 10 | "id": "c2a9093e-e289-4c0a-aa44-8c32a414fa7b" 11 | } 12 | }, 13 | "endpoint": { 14 | "policy": { 15 | "id": "c2a9093e-e289-4c0a-aa44-8c32a414fa7a" 16 | } 17 | }, 18 | "ecs": { 19 | "version": "1.0.0" 20 | }, 21 | "event": { 22 | "created": "2020-03-03T19:08:32.74626000Z" 23 | }, 24 | "host": { 25 | "architecture": "x86_64", 26 | "hostname": "host1", 27 | "id": "836977bf-9999-4667-9157-bd698e96c45d", 28 | "ip": ["10.0.1.20"], 29 | "mac": ["00:0a:95:9d:68:16"], 30 | "os": { 31 | "full": "Windows 10 Pro", 32 | "name": "Windows 10", 33 | "variant": "Windows", 34 | "version": "10.0" 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /schemas/examples/v1/registry_creation.json: -------------------------------------------------------------------------------- 1 | { 2 | "@timestamp": "2020-03-03T19:08:32.74626000Z", 3 | "message": "Registry key created", 4 | "agent": { 5 | "id": "836977bf-9105-4667-9157-bd698e96c45d", 6 | "type": "endpoint", 7 | "version": "1.0.0-demo.20200229.4" 8 | }, 9 | "ecs": { 10 | "version": "1.0.0" 11 | }, 12 | "event": { 13 | "action": "created", 14 | "category": ["registry"], 15 | "id": "LZuf+05Wl/ji0z7y+++++++3", 16 | "kind": "event", 17 | "module": "endpoint", 18 | "type": ["creation"] 19 | }, 20 | "group": { 21 | "id": "S-1-5-18", 22 | "name": "Hyper-V Administrators" 23 | }, 24 | "host": { 25 | "geo": { 26 | "city_name": "Montreal", 27 | "continent_name": "North America", 28 | "country_iso_code": "CA", 29 | "country_name": "Canada", 30 | "location": { 31 | "lon": -73.61483, 32 | "lat": 45.505918 33 | }, 34 | "region_iso_code": "CA-QC", 35 | "region_name": "Quebec" 36 | }, 37 | "hostname": "host1", 38 | "ip": "10.0.1.20", 39 | "name": "host1", 40 | "os": { 41 | "name": "Windows 10", 42 | "platform": "windows", 43 | "version": "10.0" 44 | } 45 | }, 46 | "process": { 47 | "entity_id": "ODM2OTc3YmYtOTEwNS00NjY3LTkxNTctYmQ2OThlOTZjNDVkLTQtMTMyMjczOTE3OTIuOTcyMDYzMDA=", 48 | "executable": "C:\\Users\\default.win7x64devvm\\eclipse\\cpp-neon\\eclipse\\eclipse.exe", 49 | "name": "eclipse.exe", 50 | "pid": 5, 51 | "thread": { 52 | "id": 4242 53 | } 54 | }, 55 | "registry": { 56 | "data": { 57 | "bytes": "ZQBuAC0AVQBTAAAAZQBuAAAAAAA=", 58 | "strings": ["C:\\rta\\red_ttp\\bin\\myapp.exe"] 59 | }, 60 | "hive": "HKLM", 61 | "key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe", 62 | "path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger", 63 | "value": "Debugger" 64 | }, 65 | "user": { 66 | "id": "S-1-5-18", 67 | "name": "MINWINPC$" 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /schemas/examples/v1/registry_deletion.json: -------------------------------------------------------------------------------- 1 | { 2 | "@timestamp": "2020-03-03T19:08:32.74626000Z", 3 | "message": "Registry key deleted", 4 | "agent": { 5 | "id": "836977bf-9105-4667-9157-bd698e96c45d", 6 | "type": "endpoint", 7 | "version": "1.0.0-demo.20200229.4" 8 | }, 9 | "ecs": { 10 | "version": "1.0.0" 11 | }, 12 | "event": { 13 | "action": "deleted", 14 | "category": ["registry"], 15 | "id": "LZuf+05Wl/ji0z7y+++++++3", 16 | "kind": "event", 17 | "module": "endpoint", 18 | "type": ["deletion"] 19 | }, 20 | "group": { 21 | "id": "S-1-5-18", 22 | "name": "Hyper-V Administrators" 23 | }, 24 | "host": { 25 | "geo": { 26 | "city_name": "Montreal", 27 | "continent_name": "North America", 28 | "country_iso_code": "CA", 29 | "country_name": "Canada", 30 | "location": { 31 | "lon": -73.61483, 32 | "lat": 45.505918 33 | }, 34 | "region_iso_code": "CA-QC", 35 | "region_name": "Quebec" 36 | }, 37 | "hostname": "host1", 38 | "ip": "10.0.1.20", 39 | "name": "host1", 40 | "os": { 41 | "name": "Windows 10", 42 | "platform": "windows", 43 | "version": "10.0" 44 | } 45 | }, 46 | "process": { 47 | "entity_id": "ODM2OTc3YmYtOTEwNS00NjY3LTkxNTctYmQ2OThlOTZjNDVkLTQtMTMyMjczOTE3OTIuOTcyMDYzMDA=", 48 | "executable": "C:\\Users\\default.win7x64devvm\\eclipse\\cpp-neon\\eclipse\\eclipse.exe", 49 | "name": "eclipse.exe", 50 | "pid": 5, 51 | "thread": { 52 | "id": 4242 53 | } 54 | }, 55 | "registry": { 56 | "data": { 57 | "bytes": "ZQBuAC0AVQBTAAAAZQBuAAAAAAA=", 58 | "strings": ["C:\\rta\\red_ttp\\bin\\myapp.exe"] 59 | }, 60 | "hive": "HKLM", 61 | "key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe", 62 | "path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger", 63 | "value": "Debugger" 64 | }, 65 | "user": { 66 | "id": "S-1-5-18", 67 | "name": "MINWINPC$" 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /schemas/examples/v1/registry_modification.json: -------------------------------------------------------------------------------- 1 | { 2 | "@timestamp": "2020-03-03T19:08:32.74626000Z", 3 | "message": "Registry key modified", 4 | "agent": { 5 | "id": "836977bf-9105-4667-9157-bd698e96c45d", 6 | "type": "endpoint", 7 | "version": "1.0.0-demo.20200229.4" 8 | }, 9 | "ecs": { 10 | "version": "1.0.0" 11 | }, 12 | "event": { 13 | "action": "modified", 14 | "category": ["registry"], 15 | "id": "LZuf+05Wl/ji0z7y+++++++3", 16 | "kind": "event", 17 | "module": "endpoint", 18 | "type": ["change"] 19 | }, 20 | "group": { 21 | "id": "S-1-5-18", 22 | "name": "Hyper-V Administrators" 23 | }, 24 | "host": { 25 | "geo": { 26 | "city_name": "Montreal", 27 | "continent_name": "North America", 28 | "country_iso_code": "CA", 29 | "country_name": "Canada", 30 | "location": { 31 | "lon": -73.61483, 32 | "lat": 45.505918 33 | }, 34 | "region_iso_code": "CA-QC", 35 | "region_name": "Quebec" 36 | }, 37 | "hostname": "host1", 38 | "ip": "10.0.1.20", 39 | "name": "host1", 40 | "os": { 41 | "name": "Windows 10", 42 | "platform": "windows", 43 | "version": "10.0" 44 | } 45 | }, 46 | "process": { 47 | "entity_id": "ODM2OTc3YmYtOTEwNS00NjY3LTkxNTctYmQ2OThlOTZjNDVkLTQtMTMyMjczOTE3OTIuOTcyMDYzMDA=", 48 | "executable": "C:\\Users\\default.win7x64devvm\\eclipse\\cpp-neon\\eclipse\\eclipse.exe", 49 | "name": "eclipse.exe", 50 | "pid": 5, 51 | "thread": { 52 | "id": 4242 53 | } 54 | }, 55 | "registry": { 56 | "data": { 57 | "bytes": "ZQBuAC0AVQBTAAAAZQBuABBAAAA=", 58 | "strings": ["C:\\rta\\red_ttp\\bin\\myapp.exe"] 59 | }, 60 | "hive": "HKLM", 61 | "key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe", 62 | "path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Test", 63 | "value": "Test" 64 | }, 65 | "user": { 66 | "id": "S-1-5-18", 67 | "name": "MINWINPC$" 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /scripts/event_schema_generator/README.md: -------------------------------------------------------------------------------- 1 | # Event Schema 2 | 3 | This script takes the subset style files and outputs the full schema of a given event. 4 | 5 | ## To run 6 | 7 | ### Setup 8 | 9 | Before generating the schema files you'll need to clone the [ecs repo](https://github.com/elastic/ecs) (master branch). 10 | Once you have that cloned, you'll need to install the python package `requirements.txt` under the `scripts` directory 11 | [here](https://github.com/elastic/ecs/blob/master/scripts/requirements.txt). 12 | 13 | This project relies on dictionaries being ordered 14 | so you'll need python 3.6 or greater. It's probably easiest to `brew install python` and use 15 | `python3`. If you run into issues installing, it might be because of macOS Catalina, try `brew reinstall python` 16 | 17 | ### Usage 18 | 19 | ```bash 20 | usage: main.py [-h] [--out-schema-dir directory where example file will be copied] 21 | subset [subset ...] 22 | ``` 23 | 24 | From the `endpoint-app-team/scripts/event_schema_generator` directory 25 | 26 | ```bash 27 | python main.py --out-schema-dir ../../schemas/v1 ../../../ecs ../../custom_schemas ../../custom_subsets/elastic_endpoint/events/*.yaml test 28 | ``` 29 | 30 | With virtualenv: 31 | 32 | ```bash 33 | . venv/bin/activate 34 | python main.py --out-schema-dir ../../schemas/v1 ../../../ecs ../../custom_schemas ../../custom_subsets/elastic_endpoint/events/*.yaml test 35 | ``` 36 | -------------------------------------------------------------------------------- /scripts/generate-docs/README.md: -------------------------------------------------------------------------------- 1 | # Generate docs 2 | 3 | The script allows for regenerating README docs based on the existing package content and the docs templates stored in 4 | [doc_templates](../../doc_templates). 5 | 6 | Template for README.md file supports following template functions: 7 | 8 | `{{fields "access"}}` - render a table with exported fields for the data_stream `access` 9 | 10 | `{{event "access"}}` - render a sample event for the data_stream `access`. The data_stream event must be present in the 11 | `{packageName}/data_stream/{dataStreamName}/sample_event.json` file. 12 | 13 | ## Getting started 14 | 15 | Navigate to the root directory and execute the following command: 16 | 17 | ```bash 18 | go run ./scripts/generate-docs 19 | ``` 20 | 21 | This tool is run as part of the make build process so it will be invoked when `make` is run. 22 | -------------------------------------------------------------------------------- /scripts/generate-docs/doc_template.go: -------------------------------------------------------------------------------- 1 | // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | // or more contributor license agreements. Licensed under the Elastic License; 3 | // you may not use this file except in compliance with the Elastic License. 4 | 5 | package main 6 | 7 | import ( 8 | "fmt" 9 | "log" 10 | "os" 11 | "path/filepath" 12 | "text/template" 13 | 14 | "github.com/pkg/errors" 15 | ) 16 | 17 | const ( 18 | readmeFilename = "README.md" 19 | ) 20 | 21 | func renderReadme(options generateOptions, packageName string) error { 22 | templatePath := filepath.Join(options.docTemplatesDir, fmt.Sprintf("%s/docs", packageName), readmeFilename) 23 | 24 | _, err := os.Stat(templatePath) 25 | if os.IsNotExist(err) { 26 | log.Printf(`Notice: the template file "%s" does not exist. The README.md file will not be rendered.`, templatePath) 27 | return nil 28 | } else if err != nil { 29 | return errors.Wrapf(err, "stat file failed (path: %s)", templatePath) 30 | } 31 | 32 | t := template.New(readmeFilename) 33 | t, err = t.Funcs(template.FuncMap{ 34 | "event": func(dataStreamName string) (string, error) { 35 | return renderSampleEvent(options, packageName, dataStreamName) 36 | }, 37 | "fields": func(dataStreamName string) (string, error) { 38 | return renderExportedFields(options, packageName, dataStreamName) 39 | }, 40 | }).ParseFiles(templatePath) 41 | if err != nil { 42 | return errors.Wrapf(err, "parsing README template failed (path: %s)", templatePath) 43 | } 44 | 45 | outputPath := filepath.Join(options.packagesSourceDir, packageName, "docs", readmeFilename) 46 | f, err := os.OpenFile(outputPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644) 47 | if err != nil { 48 | return errors.Wrapf(err, "opening README file for writing failed (path: %s)", outputPath) 49 | } 50 | defer f.Close() 51 | 52 | err = t.Execute(f, nil) 53 | if err != nil { 54 | return errors.Wrapf(err, "rendering README file failed (path: %s)", templatePath) 55 | } 56 | return nil 57 | } 58 | -------------------------------------------------------------------------------- /scripts/generate-docs/packages.go: -------------------------------------------------------------------------------- 1 | // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | // or more contributor license agreements. Licensed under the Elastic License; 3 | // you may not use this file except in compliance with the Elastic License. 4 | 5 | package main 6 | 7 | import ( 8 | "io/ioutil" 9 | 10 | "github.com/pkg/errors" 11 | ) 12 | 13 | func listPackages(options generateOptions) ([]string, error) { 14 | if len(options.selectedPackages()) > 0 { 15 | return options.selectedPackages(), nil 16 | } 17 | 18 | var folders []string 19 | fileInfos, err := ioutil.ReadDir(options.packagesSourceDir) 20 | if err != nil { 21 | return nil, errors.Wrapf(err, "reading packages source dir failed (path: %s)", options.packagesSourceDir) 22 | } 23 | 24 | for _, fileInfo := range fileInfos { 25 | if fileInfo.IsDir() { 26 | folders = append(folders, fileInfo.Name()) 27 | } 28 | } 29 | return folders, nil 30 | } 31 | -------------------------------------------------------------------------------- /scripts/generate-docs/sample_event.go: -------------------------------------------------------------------------------- 1 | // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | // or more contributor license agreements. Licensed under the Elastic License; 3 | // you may not use this file except in compliance with the Elastic License. 4 | 5 | package main 6 | 7 | import ( 8 | "encoding/json" 9 | "fmt" 10 | "io/ioutil" 11 | "path/filepath" 12 | "strings" 13 | 14 | "github.com/pkg/errors" 15 | ) 16 | 17 | const sampleEventFile = "sample_event.json" 18 | 19 | func renderSampleEvent(options generateOptions, packageName, dataStreamName string) (string, error) { 20 | eventPath := filepath.Join(options.packagesSourceDir, packageName, "data_stream", dataStreamName, sampleEventFile) 21 | 22 | body, err := ioutil.ReadFile(eventPath) 23 | if err != nil { 24 | return "", errors.Wrapf(err, "reading sample event file failed (path: %s)", eventPath) 25 | } 26 | 27 | formatted, err := formatSampleEvent(body) 28 | if err != nil { 29 | return "", errors.Wrapf(err, "formatting sample event file failed (path: %s)", eventPath) 30 | } 31 | 32 | var builder strings.Builder 33 | builder.WriteString(fmt.Sprintf("An example event for `%s` looks as following:\n\n", 34 | stripDataStreamFolderSuffix(dataStreamName))) 35 | builder.WriteString("```$json\n") 36 | builder.Write(formatted) 37 | builder.WriteString("\n```") 38 | return builder.String(), nil 39 | } 40 | 41 | func formatSampleEvent(body []byte) ([]byte, error) { 42 | var d map[string]interface{} 43 | err := json.Unmarshal(body, &d) 44 | if err != nil { 45 | return nil, errors.Wrap(err, "unmarshaling sample event file failed") 46 | } 47 | 48 | body, err = json.MarshalIndent(d, "", " ") 49 | if err != nil { 50 | return nil, errors.Wrap(err, "marshaling sample event file failed") 51 | } 52 | return body, nil 53 | } 54 | 55 | func stripDataStreamFolderSuffix(dataStreamName string) string { 56 | dataStreamName = strings.ReplaceAll(dataStreamName, "_metrics", "") 57 | dataStreamName = strings.ReplaceAll(dataStreamName, "_logs", "") 58 | return dataStreamName 59 | } 60 | -------------------------------------------------------------------------------- /scripts/go-tools/README.md: -------------------------------------------------------------------------------- 1 | # External Tools Written in Go 2 | 3 | This directory contains references to external tools written in go. The [tools.go](./tools.go) file imports the external tools that are used to make note of them. It will never be compiled into its own tool. 4 | 5 | The external tools are built in the Makefile's execution and are stored in the `bin` directory that is created in this directory. 6 | 7 | For more information see: 8 | -------------------------------------------------------------------------------- /scripts/go-tools/tools.go: -------------------------------------------------------------------------------- 1 | // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | // or more contributor license agreements. Licensed under the Elastic License; 3 | // you may not use this file except in compliance with the Elastic License. 4 | 5 | // +build tools 6 | 7 | /** 8 | * This file is a dummy file that will never be compiled. It just indicates that we're using 9 | * the elastic-package tool. This is necessary so we can vendor it. If additional external go tools 10 | * are needed they can be added in the import here. 11 | * 12 | * For more information see: https://github.com/go-modules-by-example/index/blob/master/010_tools/README.md 13 | */ 14 | package tools 15 | 16 | import ( 17 | _ "github.com/elastic/elastic-package" 18 | ) 19 | -------------------------------------------------------------------------------- /scripts/requirements.txt: -------------------------------------------------------------------------------- 1 | bump2version~=1.0 2 | GitPython~=3.1 3 | Jinja2~=3.0 4 | PyYAML~=6.0 5 | pyyaml-include~=1.2 6 | click 7 | xxhash 8 | -------------------------------------------------------------------------------- /scripts/saved_object_decoder/README.md: -------------------------------------------------------------------------------- 1 | # saved-object-decoder 2 | Kibana Saved Object Decoder 3 | 4 | This tool decodes Kibana saved objects ndjson format and saves each type of object 5 | in its own directory. 6 | 7 | ## Usage 8 | ```bash 9 | python so_decoder.py 10 | ``` -------------------------------------------------------------------------------- /scripts/yaml_merger/process_yaml.py: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 3 | # or more contributor license agreements. Licensed under the Elastic License; 4 | # you may not use this file except in compliance with the Elastic License. 5 | # 6 | 7 | import argparse 8 | 9 | import yaml 10 | from yamlinclude import YamlIncludeConstructor 11 | 12 | 13 | def argument_parser(): 14 | parser = argparse.ArgumentParser() 15 | parser.add_argument('-base_dir', help='base directory for the included yaml files') 16 | parser.add_argument('-field_template_file', help='the template file to use for the merge') 17 | parser.add_argument('-output_file', help='the file to dump output') 18 | return parser.parse_args() 19 | 20 | 21 | def main(): 22 | args = argument_parser() 23 | 24 | print('base_dir: {}'.format(args.base_dir)) 25 | print('field_template_file: {}'.format(args.field_template_file)) 26 | print('output_file: {}'.format(args.output_file)) 27 | 28 | YamlIncludeConstructor.add_to_loader_class(loader_class=yaml.FullLoader, base_dir=args.base_dir) 29 | 30 | with open(args.field_template_file) as f: 31 | data = yaml.load(f, Loader=yaml.FullLoader) 32 | 33 | with open(args.output_file, 'w') as file: 34 | yaml.dump(data, file, default_flow_style=False, sort_keys=False) 35 | 36 | 37 | if __name__ == '__main__': 38 | main() 39 | --------------------------------------------------------------------------------