IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Cloud provider metadata fields Docker fields »

› ›

Common fields

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Common fields

edit

Contains common fields available in all event types.

file

edit

File attributes.

file.setuid

Set if the file has the setuid bit set. Omitted otherwise.

type: boolean

example: True

file.setgid

Set if the file has the setgid bit set. Omitted otherwise.

type: boolean

example: True

file.origin

An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.

type: keyword

file.origin.raw

This is a non-analyzed field that is useful for aggregations on the origin data.

type: keyword

selinux

edit

The SELinux identity of the file.

file.selinux.user

The owner of the object.

type: keyword

file.selinux.role

The object’s SELinux role.

type: keyword

file.selinux.domain

The object’s SELinux domain or type.

edit

Saved group information.

user.saved.group.id

Saved group ID.

type: keyword

user.saved.group.name

Saved group name.

type: keyword

« Cloud provider metadata fields Docker fields »