Contains common fields available in all event types.
file
File attributes.
-
file.setuid -
Set if the file has the
setuidbit set. Omitted otherwise.type: boolean
example: True
-
file.setgid -
Set if the file has the
setgidbit set. Omitted otherwise.type: boolean
example: True
-
file.origin -
An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
type: keyword
-
file.origin.text -
This is an analyzed field that is useful for full text search on the origin data.
type: text
selinux
The SELinux identity of the file.
-
file.selinux.user -
The owner of the object.
type: keyword
-
file.selinux.role -
The object’s SELinux role.
type: keyword
-
file.selinux.domain -
The object’s SELinux domain or type.
type: keyword
-
file.selinux.level -
The object’s SELinux level.
type: keyword
example: s0
user
User information.
audit
Audit user information.
-
user.audit.id -
Audit user ID.
type: keyword
-
user.audit.name -
Audit user name.
type: keyword
filesystem
Filesystem user information.
-
user.filesystem.id -
Filesystem user ID.
type: keyword
-
user.filesystem.name -
Filesystem user name.
type: keyword
group
Filesystem group information.
-
user.filesystem.group.id -
Filesystem group ID.
type: keyword
-
user.filesystem.group.name -
Filesystem group name.
type: keyword
saved
Saved user information.
-
user.saved.id -
Saved user ID.
type: keyword
-
user.saved.name -
Saved user name.
type: keyword
group
Saved group information.
-
user.saved.group.id -
Saved group ID.
type: keyword
-
user.saved.group.name -
Saved group name.
type: keyword