IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Santa Module
santa
-
santa.action -
Action
type: keyword
example: EXEC
-
santa.decision -
Decision that santad took.
type: keyword
example: ALLOW
-
santa.reason -
Reason for the decsision.
type: keyword
example: CERT
-
santa.mode -
Operating mode of Santa.
type: keyword
example: M
disk
Fields for DISKAPPEAR actions.
-
santa.disk.volume -
The volume name.
-
santa.disk.bus -
The disk bus protocol.
-
santa.disk.serial -
The disk serial number.
-
santa.disk.bsdname -
The disk BSD name.
example: disk1s3
-
santa.disk.model -
The disk model.
example: APPLE SSD SM0512L
-
santa.disk.fs -
The disk volume kind (filesystem type).
example: apfs
-
santa.disk.mount -
The disk volume path.
-
certificate.common_name -
Common name from code signing certificate.
type: keyword
-
certificate.sha256 -
SHA256 hash of code signing certificate.
type: keyword
-
hash.sha256 -
Hash of process executable.
type: keyword