Docs
You are looking at documentation for an older release. Not what you want? See the current release documentation.
Filebeat Reference [7.3] » Exported fields » Google Santa fields
«  Redis fields     Suricata fields  »

Google Santa fieldsedit

Santa Module

santaedit

santa.action

Action

type: keyword

example: EXEC

santa.decision

Decision that santad took.

type: keyword

example: ALLOW

santa.reason

Reason for the decsision.

type: keyword

example: CERT

santa.mode

Operating mode of Santa.

type: keyword

example: M

diskedit

Fields for DISKAPPEAR actions.

santa.disk.volume
The volume name.
santa.disk.bus
The disk bus protocol.
santa.disk.serial
The disk serial number.
santa.disk.bsdname

The disk BSD name.

example: disk1s3

santa.disk.model

The disk model.

example: APPLE SSD SM0512L

santa.disk.fs

The disk volume kind (filesystem type).

example: apfs

santa.disk.mount
The disk volume path.
certificate.common_name

Common name from code signing certificate.

type: keyword

certificate.sha256

SHA256 hash of code signing certificate.

type: keyword

hash.sha256

Hash of process executable.

type: keyword

«  Redis fields     Suricata fields  »