Common fieldsedit

Contains common fields available in all event types.

fileedit

File attributes.

file.setuid

Set if the file has the setuid bit set. Omitted otherwise.

type: boolean

example: True

file.setgid

Set if the file has the setgid bit set. Omitted otherwise.

type: boolean

example: True

file.origin

An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.

type: keyword

file.origin.raw

This is a non-analyzed field that is useful for aggregations on the origin data.

type: keyword

selinuxedit

The SELinux identity of the file.

file.selinux.user

The owner of the object.

type: keyword

file.selinux.role

The object’s SELinux role.

type: keyword

file.selinux.domain

The object’s SELinux domain or type.

type: keyword

file.selinux.level

The object’s SELinux level.

type: keyword

example: s0

useredit

User information.

auditedit

Audit user information.

user.audit.id

Audit user ID.

type: keyword

user.audit.name

Audit user name.

type: keyword

filesystemedit

Filesystem user information.

user.filesystem.id

Filesystem user ID.

type: keyword

user.filesystem.name

Filesystem user name.

type: keyword

groupedit

Filesystem group information.

user.filesystem.group.id

Filesystem group ID.

type: keyword

user.filesystem.group.name

Filesystem group name.

type: keyword

savededit

Saved user information.

user.saved.id

Saved user ID.

type: keyword

user.saved.name

Saved user name.

type: keyword

groupedit

Saved group information.

user.saved.group.id

Saved group ID.

type: keyword

user.saved.group.name

Saved group name.

type: keyword