Common fieldsedit

Contains common fields available in all event types.

event.module
The name of the module that generated the event.
event.action

type: keyword

example: logged-in

Action describes the change that triggered the event. For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change.

file fieldsedit

File attributes.

file.path

type: text

The path to the file.

file.path.raw

type: keyword

The path to the file. This is a non-analyzed field that is useful for aggregations.

file.target_path

type: keyword

The target path for symlinks.

file.type

type: keyword

The file type (file, dir, or symlink).

file.device

type: keyword

The device.

file.inode

type: keyword

The inode representing the file in the filesystem.

file.uid

type: keyword

The user ID (UID) or security identifier (SID) of the file owner.

file.owner

type: keyword

The file owner’s username.

file.gid

type: keyword

The primary group ID (GID) of the file.

file.group

type: keyword

The primary group name of the file.

file.mode

type: keyword

example: 416

The mode of the file in octal representation.

file.setuid

type: boolean

example: True

Set if the file has the setuid bit set. Omitted otherwise.

file.setgid

type: boolean

example: True

Set if the file has the setgid bit set. Omitted otherwise.

file.size

type: long

The file size in bytes (field is only added when type is file).

file.mtime

type: date

The last modified time of the file (time when content was modified).

file.ctime

type: date

The last change time of the file (time when metadata was changed).

file.origin

type: text

An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.

file.origin.raw

type: keyword

This is a non-analyzed field that is useful for aggregations on the origin data.

selinux fieldsedit

The SELinux identity of the file.

file.selinux.user

type: keyword

The owner of the object.

file.selinux.role

type: keyword

The object’s SELinux role.

file.selinux.domain

type: keyword

The object’s SELinux domain or type.

file.selinux.level

type: keyword

example: s0

The object’s SELinux level.