Cylance integration

edit

Cylance integration

edit

Version

0.21.1 [beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. (View all)

Compatible Kibana version(s)

8.13.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

This integration is for Cylance logs. It includes the following datasets for receiving logs over syslog or read from a file:

  • protect dataset: supports CylanceProtect logs.

Protect

edit

The protect dataset collects CylanceProtect logs.

Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

dns.question.domain

Server domain.

keyword

event.dataset

Event dataset

constant_keyword

event.module

Event module

constant_keyword

geo.city_name

City name.

keyword

geo.country_name

Country name.

keyword

geo.name

User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

keyword

geo.region_name

Region name.

keyword

input.type

Type of Filebeat input.

keyword

log.flags

Flags for the log file.

keyword

log.offset

Offset of the entry in the log file.

long

log.source.address

Source address from which the log event was read / sent from.

keyword

network.interface.name

keyword

rsa.counters.dclass_c1

This is a generic counter key that should be used with the label dclass.c1.str only

long

rsa.counters.dclass_c1_str

This is a generic counter string key that should be used with the label dclass.c1 only

keyword

rsa.counters.dclass_c2

This is a generic counter key that should be used with the label dclass.c2.str only

long

rsa.counters.dclass_c2_str

This is a generic counter string key that should be used with the label dclass.c2 only

keyword

rsa.counters.dclass_c3

This is a generic counter key that should be used with the label dclass.c3.str only

long

rsa.counters.dclass_c3_str

This is a generic counter string key that should be used with the label dclass.c3 only

keyword

rsa.counters.dclass_r1

This is a generic ratio key that should be used with the label dclass.r1.str only

keyword

rsa.counters.dclass_r1_str

This is a generic ratio string key that should be used with the label dclass.r1 only

keyword

rsa.counters.dclass_r2

This is a generic ratio key that should be used with the label dclass.r2.str only

keyword

rsa.counters.dclass_r2_str

This is a generic ratio string key that should be used with the label dclass.r2 only

keyword

rsa.counters.dclass_r3

This is a generic ratio key that should be used with the label dclass.r3.str only

keyword

rsa.counters.dclass_r3_str

This is a generic ratio string key that should be used with the label dclass.r3 only

keyword

rsa.counters.event_counter

This is used to capture the number of times an event repeated

long

rsa.crypto.cert_ca

This key is used to capture the Certificate signing authority only

keyword

rsa.crypto.cert_checksum

keyword

rsa.crypto.cert_common

This key is used to capture the Certificate common name only

keyword

rsa.crypto.cert_error

This key captures the Certificate Error String

keyword

rsa.crypto.cert_host_cat

This key is used for the hostname category value of a certificate

keyword

rsa.crypto.cert_host_name

Deprecated key defined only in table map.

keyword

rsa.crypto.cert_issuer

keyword

rsa.crypto.cert_keysize

keyword

rsa.crypto.cert_serial

This key is used to capture the Certificate serial number only

keyword

rsa.crypto.cert_status

This key captures Certificate validation status

keyword

rsa.crypto.cert_subject

This key is used to capture the Certificate organization only

keyword

rsa.crypto.cert_username

keyword

rsa.crypto.cipher_dst

This key is for Destination (Server) Cipher

keyword

rsa.crypto.cipher_size_dst

This key captures Destination (Server) Cipher Size

long

rsa.crypto.cipher_size_src

This key captures Source (Client) Cipher Size

long

rsa.crypto.cipher_src

This key is for Source (Client) Cipher

keyword

rsa.crypto.crypto

This key is used to capture the Encryption Type or Encryption Key only

keyword

rsa.crypto.d_certauth

keyword

rsa.crypto.https_insact

keyword

rsa.crypto.https_valid

keyword

rsa.crypto.ike

IKE negotiation phase.

keyword

rsa.crypto.ike_cookie1

ID of the negotiation — sent for ISAKMP Phase One

keyword

rsa.crypto.ike_cookie2

ID of the negotiation — sent for ISAKMP Phase Two

keyword

rsa.crypto.peer

This key is for Encryption peer’s IP Address

keyword

rsa.crypto.peer_id

This key is for Encryption peer’s identity

keyword

rsa.crypto.s_certauth

keyword

rsa.crypto.scheme

This key captures the Encryption scheme used

keyword

rsa.crypto.sig_type

This key captures the Signature Type

keyword

rsa.crypto.ssl_ver_dst

Deprecated, use version

keyword

rsa.crypto.ssl_ver_src

Deprecated, use version

keyword

rsa.db.database

This key is used to capture the name of a database or an instance as seen in a session

keyword

rsa.db.db_id

This key is used to capture the unique identifier for a database

keyword

rsa.db.db_pid

This key captures the process id of a connection with database server

long

rsa.db.index

This key captures IndexID of the index.

keyword

rsa.db.instance

This key is used to capture the database server instance name

keyword

rsa.db.lread

This key is used for the number of logical reads

long

rsa.db.lwrite

This key is used for the number of logical writes

long

rsa.db.permissions

This key captures permission or privilege level assigned to a resource.

keyword

rsa.db.pread

This key is used for the number of physical writes

long

rsa.db.table_name

This key is used to capture the table name

keyword

rsa.db.transact_id

This key captures the SQL transantion ID of the current session

keyword

rsa.email.email

This key is used to capture a generic email address where the source or destination context is not clear

keyword

rsa.email.email_dst

This key is used to capture the Destination email address only, when the destination context is not clear use email

keyword

rsa.email.email_src

This key is used to capture the source email address only, when the source context is not clear use email

keyword

rsa.email.subject

This key is used to capture the subject string from an Email only.

keyword

rsa.email.trans_from

Deprecated key defined only in table map.

keyword

rsa.email.trans_to

Deprecated key defined only in table map.

keyword

rsa.endpoint.host_state

This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on

keyword

rsa.endpoint.registry_key

This key captures the path to the registry key

keyword

rsa.endpoint.registry_value

This key captures values or decorators used within a registry entry

keyword

rsa.file.attachment

This key captures the attachment file name

keyword

rsa.file.binary

Deprecated key defined only in table map.

keyword

rsa.file.directory_dst

<span>This key is used to capture the directory of the target process or file</span>

keyword

rsa.file.directory_src

This key is used to capture the directory of the source process or file

keyword

rsa.file.file_entropy

This is used to capture entropy vale of a file

double

rsa.file.file_vendor

This is used to capture Company name of file located in version_info

keyword

rsa.file.filename_dst

This is used to capture name of the file targeted by the action

keyword

rsa.file.filename_src

This is used to capture name of the parent filename, the file which performed the action

keyword

rsa.file.filename_tmp

keyword

rsa.file.filesystem

keyword

rsa.file.privilege

Deprecated, use permissions

keyword

rsa.file.task_name

This is used to capture name of the task

keyword

rsa.healthcare.patient_fname

This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

keyword

rsa.healthcare.patient_id

This key captures the unique ID for a patient

keyword

rsa.healthcare.patient_lname

This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

keyword

rsa.healthcare.patient_mname

This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

keyword

rsa.identity.accesses

This key is used to capture actual privileges used in accessing an object

keyword

rsa.identity.auth_method

This key is used to capture authentication methods used only

keyword

rsa.identity.dn

X.500 (LDAP) Distinguished Name

keyword

rsa.identity.dn_dst

An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

keyword

rsa.identity.dn_src

An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

keyword

rsa.identity.federated_idp

This key is the federated Identity Provider. This is the server providing the authentication.

keyword

rsa.identity.federated_sp

This key is the Federated Service Provider. This is the application requesting authentication.

keyword

rsa.identity.firstname

This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

keyword

rsa.identity.host_role

This key should only be used to capture the role of a Host Machine

keyword

rsa.identity.lastname

This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

keyword

rsa.identity.ldap

This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

keyword

rsa.identity.ldap_query

This key is the Search criteria from an LDAP search

keyword

rsa.identity.ldap_response

This key is to capture Results from an LDAP search

keyword

rsa.identity.logon_type

This key is used to capture the type of logon method used.

keyword

rsa.identity.logon_type_desc

This key is used to capture the textual description of an integer logon type as stored in the meta key logon.type.

keyword

rsa.identity.middlename

This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

keyword

rsa.identity.org

This key captures the User organization

keyword

rsa.identity.owner

This is used to capture username the process or service is running as, the author of the task

keyword

rsa.identity.password

This key is for Passwords seen in any session, plain text or encrypted

keyword

rsa.identity.profile

This key is used to capture the user profile

keyword

rsa.identity.realm

Radius realm or similar grouping of accounts

keyword

rsa.identity.service_account

This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

keyword

rsa.identity.user_dept

User’s Department Names only

keyword

rsa.identity.user_role

This key is used to capture the Role of a user only

keyword

rsa.identity.user_sid_dst

This key captures Destination User Session ID

keyword

rsa.identity.user_sid_src

This key captures Source User Session ID

keyword

rsa.internal.audit_class

Deprecated key defined only in table map.

keyword

rsa.internal.cid

This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.data

Deprecated key defined only in table map.

keyword

rsa.internal.dead

Deprecated key defined only in table map.

long

rsa.internal.device_class

This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.device_group

This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.device_host

This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.device_ip

This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

ip

rsa.internal.device_ipv6

This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

ip

rsa.internal.device_type

This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.device_type_id

Deprecated key defined only in table map.

long

rsa.internal.did

This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.entropy_req

This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

long

rsa.internal.entropy_res

This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

long

rsa.internal.entry

Deprecated key defined only in table map.

keyword

rsa.internal.event_desc

keyword

rsa.internal.event_name

Deprecated key defined only in table map.

keyword

rsa.internal.feed_category

This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.feed_desc

This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.feed_name

This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.forward_ip

This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

ip

rsa.internal.forward_ipv6

This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

ip

rsa.internal.hcode

Deprecated key defined only in table map.

keyword

rsa.internal.header_id

This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.inode

Deprecated key defined only in table map.

long

rsa.internal.lc_cid

This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.lc_ctime

This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

date

rsa.internal.level

Deprecated key defined only in table map.

long

rsa.internal.mcb_req

This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

long

rsa.internal.mcb_res

This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

long

rsa.internal.mcbc_req

This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

long

rsa.internal.mcbc_res

This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

long

rsa.internal.medium

This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

long

rsa.internal.message

This key captures the contents of instant messages

keyword

rsa.internal.messageid

keyword

rsa.internal.msg

This key is used to capture the raw message that comes into the Log Decoder

keyword

rsa.internal.msg_id

This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.msg_vid

This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.node_name

Deprecated key defined only in table map.

keyword

rsa.internal.nwe_callback_id

This key denotes that event is endpoint related

keyword

rsa.internal.obj_id

Deprecated key defined only in table map.

keyword

rsa.internal.obj_server

Deprecated key defined only in table map.

keyword

rsa.internal.obj_val

Deprecated key defined only in table map.

keyword

rsa.internal.parse_error

This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.payload_req

This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

long

rsa.internal.payload_res

This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

long

rsa.internal.process_vid_dst

Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

keyword

rsa.internal.process_vid_src

Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

keyword

rsa.internal.resource

Deprecated key defined only in table map.

keyword

rsa.internal.resource_class

Deprecated key defined only in table map.

keyword

rsa.internal.rid

This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

long

rsa.internal.session_split

This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.site

Deprecated key defined only in table map.

keyword

rsa.internal.size

This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

long

rsa.internal.sourcefile

This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.internal.statement

Deprecated key defined only in table map.

keyword

rsa.internal.time

This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

date

rsa.internal.ubc_req

This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

long

rsa.internal.ubc_res

This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

long

rsa.internal.word

This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

keyword

rsa.investigations.analysis_file

This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

keyword

rsa.investigations.analysis_service

This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

keyword

rsa.investigations.analysis_session

This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

keyword

rsa.investigations.boc

This is used to capture behaviour of compromise

keyword

rsa.investigations.ec_activity

This key captures the particular event activity(Ex:Logoff)

keyword

rsa.investigations.ec_outcome

This key captures the outcome of a particular Event(Ex:Success)

keyword

rsa.investigations.ec_subject

This key captures the Subject of a particular Event(Ex:User)

keyword

rsa.investigations.ec_theme

This key captures the Theme of a particular Event(Ex:Authentication)

keyword

rsa.investigations.eoc

This is used to capture Enablers of Compromise

keyword

rsa.investigations.event_cat

This key captures the Event category number

long

rsa.investigations.event_cat_name

This key captures the event category name corresponding to the event cat code

keyword

rsa.investigations.event_vcat

This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

keyword

rsa.investigations.inv_category

This used to capture investigation category

keyword

rsa.investigations.inv_context

This used to capture investigation context

keyword

rsa.investigations.ioc

This is key capture indicator of compromise

keyword

rsa.misc.OS

This key captures the Name of the Operating System

keyword

rsa.misc.acl_id

keyword

rsa.misc.acl_op

keyword

rsa.misc.acl_pos

keyword

rsa.misc.acl_table

keyword

rsa.misc.action

keyword

rsa.misc.admin

keyword

rsa.misc.agent_id

This key is used to capture agent id

keyword

rsa.misc.alarm_id

keyword

rsa.misc.alarmname

keyword

rsa.misc.alert_id

Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

keyword

rsa.misc.app_id

keyword

rsa.misc.audit

keyword

rsa.misc.audit_object

keyword

rsa.misc.auditdata

keyword

rsa.misc.autorun_type

This is used to capture Auto Run type

keyword

rsa.misc.benchmark

keyword

rsa.misc.bypass

keyword

rsa.misc.cache

keyword

rsa.misc.cache_hit

keyword

rsa.misc.category

This key is used to capture the category of an event given by the vendor in the session

keyword

rsa.misc.cc_number

Valid Credit Card Numbers only

long

rsa.misc.cefversion

keyword

rsa.misc.cfg_attr

keyword

rsa.misc.cfg_obj

keyword

rsa.misc.cfg_path

keyword

rsa.misc.change_attrib

This key is used to capture the name of the attribute that’s changing in a session

keyword

rsa.misc.change_new

This key is used to capture the new values of the attribute that’s changing in a session

keyword

rsa.misc.change_old

This key is used to capture the old value of the attribute that’s changing in a session

keyword

rsa.misc.changes

keyword

rsa.misc.checksum

This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

keyword

rsa.misc.checksum_dst

This key is used to capture the checksum or hash of the the target entity such as a process or file.

keyword

rsa.misc.checksum_src

This key is used to capture the checksum or hash of the source entity such as a file or process.

keyword

rsa.misc.client

This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

keyword

rsa.misc.client_ip

keyword

rsa.misc.clustermembers

keyword

rsa.misc.cmd

keyword

rsa.misc.cn_acttimeout

keyword

rsa.misc.cn_asn_src

keyword

rsa.misc.cn_bgpv4nxthop

keyword

rsa.misc.cn_ctr_dst_code

keyword

rsa.misc.cn_dst_tos

keyword

rsa.misc.cn_dst_vlan

keyword

rsa.misc.cn_engine_id

keyword

rsa.misc.cn_engine_type

keyword

rsa.misc.cn_f_switch

keyword

rsa.misc.cn_flowsampid

keyword

rsa.misc.cn_flowsampintv

keyword

rsa.misc.cn_flowsampmode

keyword

rsa.misc.cn_inacttimeout

keyword

rsa.misc.cn_inpermbyts

keyword

rsa.misc.cn_inpermpckts

keyword

rsa.misc.cn_invalid

keyword

rsa.misc.cn_ip_proto_ver

keyword

rsa.misc.cn_ipv4_ident

keyword

rsa.misc.cn_l_switch

keyword

rsa.misc.cn_log_did

keyword

rsa.misc.cn_log_rid

keyword

rsa.misc.cn_max_ttl

keyword

rsa.misc.cn_maxpcktlen

keyword

rsa.misc.cn_min_ttl

keyword

rsa.misc.cn_minpcktlen

keyword

rsa.misc.cn_mpls_lbl_1

keyword

rsa.misc.cn_mpls_lbl_10

keyword

rsa.misc.cn_mpls_lbl_2

keyword

rsa.misc.cn_mpls_lbl_3

keyword

rsa.misc.cn_mpls_lbl_4

keyword

rsa.misc.cn_mpls_lbl_5

keyword

rsa.misc.cn_mpls_lbl_6

keyword

rsa.misc.cn_mpls_lbl_7

keyword

rsa.misc.cn_mpls_lbl_8

keyword

rsa.misc.cn_mpls_lbl_9

keyword

rsa.misc.cn_mplstoplabel

keyword

rsa.misc.cn_mplstoplabip

keyword

rsa.misc.cn_mul_dst_byt

keyword

rsa.misc.cn_mul_dst_pks

keyword

rsa.misc.cn_muligmptype

keyword

rsa.misc.cn_sampalgo

keyword

rsa.misc.cn_sampint

keyword

rsa.misc.cn_seqctr

keyword

rsa.misc.cn_spackets

keyword

rsa.misc.cn_src_tos

keyword

rsa.misc.cn_src_vlan

keyword

rsa.misc.cn_sysuptime

keyword

rsa.misc.cn_template_id

keyword

rsa.misc.cn_totbytsexp

keyword

rsa.misc.cn_totflowexp

keyword

rsa.misc.cn_totpcktsexp

keyword

rsa.misc.cn_unixnanosecs

keyword

rsa.misc.cn_v6flowlabel

keyword

rsa.misc.cn_v6optheaders

keyword

rsa.misc.code

keyword

rsa.misc.command

keyword

rsa.misc.comments

Comment information provided in the log message

keyword

rsa.misc.comp_class

keyword

rsa.misc.comp_name

keyword

rsa.misc.comp_rbytes

keyword

rsa.misc.comp_sbytes

keyword

rsa.misc.comp_version

This key captures the Version level of a sub-component of a product.

keyword

rsa.misc.connection_id

This key captures the Connection ID

keyword

rsa.misc.content

This key captures the content type from protocol headers

keyword

rsa.misc.content_type

This key is used to capture Content Type only.

keyword

rsa.misc.content_version

This key captures Version level of a signature or database content.

keyword

rsa.misc.context

This key captures Information which adds additional context to the event.

keyword

rsa.misc.context_subject

This key is to be used in an audit context where the subject is the object being identified

keyword

rsa.misc.context_target

keyword

rsa.misc.count

keyword

rsa.misc.cpu

This key is the CPU time used in the execution of the event being recorded.

long

rsa.misc.cpu_data

keyword

rsa.misc.criticality

keyword

rsa.misc.cs_agency_dst

keyword

rsa.misc.cs_analyzedby

keyword

rsa.misc.cs_av_other

keyword

rsa.misc.cs_av_primary

keyword

rsa.misc.cs_av_secondary

keyword

rsa.misc.cs_bgpv6nxthop

keyword

rsa.misc.cs_bit9status

keyword

rsa.misc.cs_context

keyword

rsa.misc.cs_control

keyword

rsa.misc.cs_data

keyword

rsa.misc.cs_datecret

keyword

rsa.misc.cs_dst_tld

keyword

rsa.misc.cs_eth_dst_ven

keyword

rsa.misc.cs_eth_src_ven

keyword

rsa.misc.cs_event_uuid

keyword

rsa.misc.cs_filetype

keyword

rsa.misc.cs_fld

keyword

rsa.misc.cs_if_desc

keyword

rsa.misc.cs_if_name

keyword

rsa.misc.cs_ip_next_hop

keyword

rsa.misc.cs_ipv4dstpre

keyword

rsa.misc.cs_ipv4srcpre

keyword

rsa.misc.cs_lifetime

keyword

rsa.misc.cs_log_medium

keyword

rsa.misc.cs_loginname

keyword

rsa.misc.cs_modulescore

keyword

rsa.misc.cs_modulesign

keyword

rsa.misc.cs_opswatresult

keyword

rsa.misc.cs_payload

keyword

rsa.misc.cs_registrant

keyword

rsa.misc.cs_registrar

keyword

rsa.misc.cs_represult

keyword

rsa.misc.cs_rpayload

keyword

rsa.misc.cs_sampler_name

keyword

rsa.misc.cs_sourcemodule

keyword

rsa.misc.cs_streams

keyword

rsa.misc.cs_targetmodule

keyword

rsa.misc.cs_v6nxthop

keyword

rsa.misc.cs_whois_server

keyword

rsa.misc.cs_yararesult

keyword

rsa.misc.cve

This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

keyword

rsa.misc.data_type

keyword

rsa.misc.description

keyword

rsa.misc.device_name

This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

keyword

rsa.misc.devvendor

keyword

rsa.misc.disposition

This key captures the The end state of an action.

keyword

rsa.misc.distance

keyword

rsa.misc.doc_number

This key captures File Identification number

long

rsa.misc.dstburb

keyword

rsa.misc.edomain

keyword

rsa.misc.edomaub

keyword

rsa.misc.ein_number

Employee Identification Numbers only

long

rsa.misc.error

This key captures All non successful Error codes or responses

keyword

rsa.misc.euid

keyword

rsa.misc.event_category

keyword

rsa.misc.event_computer

This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

keyword

rsa.misc.event_desc

This key is used to capture a description of an event available directly or inferred

keyword

rsa.misc.event_id

keyword

rsa.misc.event_log

This key captures the Name of the event log

keyword

rsa.misc.event_source

This key captures Source of the event that’s not a hostname

keyword

rsa.misc.event_state

This key captures the current state of the object/item referenced within the event. Describing an on-going event.

keyword

rsa.misc.event_type

This key captures the event category type as specified by the event source.

keyword

rsa.misc.event_user

This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

keyword

rsa.misc.expected_val

This key captures the Value expected (from the perspective of the device generating the log).

keyword

rsa.misc.facility

keyword

rsa.misc.facilityname

keyword

rsa.misc.fcatnum

This key captures Filter Category Number. Legacy Usage

keyword

rsa.misc.filter

This key captures Filter used to reduce result set

keyword

rsa.misc.finterface

keyword

rsa.misc.flags

keyword

rsa.misc.forensic_info

keyword

rsa.misc.found

This is used to capture the results of regex match

keyword

rsa.misc.fresult

This key captures the Filter Result

long

rsa.misc.gaddr

keyword

rsa.misc.group

This key captures the Group Name value

keyword

rsa.misc.group_id

This key captures Group ID Number (related to the group name)

keyword

rsa.misc.group_object

This key captures a collection/grouping of entities. Specific usage

keyword

rsa.misc.hardware_id

This key is used to capture unique identifier for a device or system (NOT a Mac address)

keyword

rsa.misc.id3

keyword

rsa.misc.im_buddyid

keyword

rsa.misc.im_buddyname

keyword

rsa.misc.im_client

keyword

rsa.misc.im_croomid

keyword

rsa.misc.im_croomtype

keyword

rsa.misc.im_members

keyword

rsa.misc.im_userid

keyword

rsa.misc.im_username

keyword

rsa.misc.index

keyword

rsa.misc.inout

keyword

rsa.misc.ipkt

keyword

rsa.misc.ipscat

keyword

rsa.misc.ipspri

keyword

rsa.misc.job_num

This key captures the Job Number

keyword

rsa.misc.jobname

keyword

rsa.misc.language

This is used to capture list of languages the client support and what it prefers

keyword

rsa.misc.latitude

keyword

rsa.misc.library

This key is used to capture library information in mainframe devices

keyword

rsa.misc.lifetime

This key is used to capture the session lifetime in seconds.

long

rsa.misc.linenum

keyword

rsa.misc.link

This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

keyword

rsa.misc.list_name

keyword

rsa.misc.listnum

This key is used to capture listname or listnumber, primarily for collecting access-list

keyword

rsa.misc.load_data

keyword

rsa.misc.location_floor

keyword

rsa.misc.location_mark

keyword

rsa.misc.log_id

keyword

rsa.misc.log_session_id

This key is used to capture a sessionid from the session directly

keyword

rsa.misc.log_session_id1

This key is used to capture a Linked (Related) Session ID from the session directly

keyword

rsa.misc.log_type

keyword

rsa.misc.logid

keyword

rsa.misc.logip

keyword

rsa.misc.logname

keyword

rsa.misc.longitude

keyword

rsa.misc.lport

keyword

rsa.misc.mail_id

This key is used to capture the mailbox id/name

keyword

rsa.misc.match

This key is for regex match name from search.ini

keyword

rsa.misc.mbug_data

keyword

rsa.misc.message_body

This key captures the The contents of the message body.

keyword

rsa.misc.misc

keyword

rsa.misc.misc_name

keyword

rsa.misc.mode

keyword

rsa.misc.msgIdPart1

keyword

rsa.misc.msgIdPart2

keyword

rsa.misc.msgIdPart3

keyword

rsa.misc.msgIdPart4

keyword

rsa.misc.msg_type

keyword

rsa.misc.msgid

keyword

rsa.misc.name

keyword

rsa.misc.netsessid

keyword

rsa.misc.node

Common use case is the node name within a cluster. The cluster name is reflected by the host name.

keyword

rsa.misc.ntype

keyword

rsa.misc.num

keyword

rsa.misc.number

keyword

rsa.misc.number1

keyword

rsa.misc.number2

keyword

rsa.misc.nwwn

keyword

rsa.misc.obj_name

This is used to capture name of object

keyword

rsa.misc.obj_type

This is used to capture type of object

keyword

rsa.misc.object

keyword

rsa.misc.observed_val

This key captures the Value observed (from the perspective of the device generating the log).

keyword

rsa.misc.operation

keyword

rsa.misc.operation_id

An alert number or operation number. The values should be unique and non-repeating.

keyword

rsa.misc.opkt

keyword

rsa.misc.orig_from

keyword

rsa.misc.owner_id

keyword

rsa.misc.p_action

keyword

rsa.misc.p_filter

keyword

rsa.misc.p_group_object

keyword

rsa.misc.p_id

keyword

rsa.misc.p_msgid

keyword

rsa.misc.p_msgid1

keyword

rsa.misc.p_msgid2

keyword

rsa.misc.p_result1

keyword

rsa.misc.param

This key is the parameters passed as part of a command or application, etc.

keyword

rsa.misc.param_dst

This key captures the command line/launch argument of the target process or file

keyword

rsa.misc.param_src

This key captures source parameter

keyword

rsa.misc.parent_node

This key captures the Parent Node Name. Must be related to node variable.

keyword

rsa.misc.password_chg

keyword

rsa.misc.password_expire

keyword

rsa.misc.payload_dst

This key is used to capture destination payload

keyword

rsa.misc.payload_src

This key is used to capture source payload

keyword

rsa.misc.permgranted

keyword

rsa.misc.permwanted

keyword

rsa.misc.pgid

keyword

rsa.misc.phone

keyword

rsa.misc.pid

keyword

rsa.misc.policy

keyword

rsa.misc.policyUUID

keyword

rsa.misc.policy_id

This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

keyword

rsa.misc.policy_name

This key is used to capture the Policy Name only.

keyword

rsa.misc.policy_value

This key captures the contents of the policy. This contains details about the policy

keyword

rsa.misc.policy_waiver

keyword

rsa.misc.pool_id

This key captures the identifier (typically numeric field) of a resource pool

keyword

rsa.misc.pool_name

This key captures the name of a resource pool

keyword

rsa.misc.port_name

This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

keyword

rsa.misc.priority

keyword

rsa.misc.process_id_val

This key is a failure key for Process ID when it is not an integer value

keyword

rsa.misc.prog_asp_num

keyword

rsa.misc.program

keyword

rsa.misc.real_data

keyword

rsa.misc.reason

keyword

rsa.misc.rec_asp_device

keyword

rsa.misc.rec_asp_num

keyword

rsa.misc.rec_library

keyword

rsa.misc.recordnum

keyword

rsa.misc.reference_id

This key is used to capture an event id from the session directly

keyword

rsa.misc.reference_id1

This key is for Linked ID to be used as an addition to "reference.id"

keyword

rsa.misc.reference_id2

This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

keyword

rsa.misc.result

This key is used to capture the outcome/result string value of an action in a session.

keyword

rsa.misc.result_code

This key is used to capture the outcome/result numeric value of an action in a session

keyword

rsa.misc.risk

This key captures the non-numeric risk value

keyword

rsa.misc.risk_info

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

keyword

rsa.misc.risk_num

This key captures a Numeric Risk value

double

rsa.misc.risk_num_comm

This key captures Risk Number Community

double

rsa.misc.risk_num_next

This key captures Risk Number NextGen

double

rsa.misc.risk_num_sand

This key captures Risk Number SandBox

double

rsa.misc.risk_num_static

This key captures Risk Number Static

double

rsa.misc.risk_suspicious

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

keyword

rsa.misc.risk_warning

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

keyword

rsa.misc.ruid

keyword

rsa.misc.rule

This key captures the Rule number

keyword

rsa.misc.rule_group

This key captures the Rule group name

keyword

rsa.misc.rule_name

This key captures the Rule Name

keyword

rsa.misc.rule_template

A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

keyword

rsa.misc.rule_uid

This key is the Unique Identifier for a rule.

keyword

rsa.misc.sburb

keyword

rsa.misc.sdomain_fld

keyword

rsa.misc.search_text

This key captures the Search Text used

keyword

rsa.misc.sec

keyword

rsa.misc.second

keyword

rsa.misc.sensor

This key captures Name of the sensor. Typically used in IDS/IPS based devices

keyword

rsa.misc.sensorname

keyword

rsa.misc.seqnum

keyword

rsa.misc.serial_number

This key is the Serial number associated with a physical asset.

keyword

rsa.misc.session

keyword

rsa.misc.sessiontype

keyword

rsa.misc.severity

This key is used to capture the severity given the session

keyword

rsa.misc.sigUUID

keyword

rsa.misc.sig_id

This key captures IDS/IPS Int Signature ID

long

rsa.misc.sig_id1

This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

long

rsa.misc.sig_id_str

This key captures a string object of the sigid variable.

keyword

rsa.misc.sig_name

This key is used to capture the Signature Name only.

keyword

rsa.misc.sigcat

keyword

rsa.misc.snmp_oid

SNMP Object Identifier

keyword

rsa.misc.snmp_value

SNMP set request value

keyword

rsa.misc.space

keyword

rsa.misc.space1

keyword

rsa.misc.spi

keyword

rsa.misc.spi_dst

Destination SPI Index

keyword

rsa.misc.spi_src

Source SPI Index

keyword

rsa.misc.sql

This key captures the SQL query

keyword

rsa.misc.srcburb

keyword

rsa.misc.srcdom

keyword

rsa.misc.srcservice

keyword

rsa.misc.state

keyword

rsa.misc.status

keyword

rsa.misc.status1

keyword

rsa.misc.streams

This key captures number of streams in session

long

rsa.misc.subcategory

keyword

rsa.misc.svcno

keyword

rsa.misc.system

keyword

rsa.misc.tbdstr1

keyword

rsa.misc.tbdstr2

keyword

rsa.misc.tcp_flags

This key is captures the TCP flags set in any packet of session

long

rsa.misc.terminal

This key captures the Terminal Names only

keyword

rsa.misc.tgtdom

keyword

rsa.misc.tgtdomain

keyword

rsa.misc.threshold

keyword

rsa.misc.tos

This key describes the type of service

long

rsa.misc.trigger_desc

This key captures the Description of the trigger or threshold condition.

keyword

rsa.misc.trigger_val

This key captures the Value of the trigger or threshold condition.

keyword

rsa.misc.type

keyword

rsa.misc.type1

keyword

rsa.misc.udb_class

keyword

rsa.misc.url_fld

keyword

rsa.misc.user_div

keyword

rsa.misc.userid

keyword

rsa.misc.username_fld

keyword

rsa.misc.utcstamp

keyword

rsa.misc.v_instafname

keyword

rsa.misc.version

This key captures Version of the application or OS which is generating the event.

keyword

rsa.misc.virt_data

keyword

rsa.misc.virusname

This key captures the name of the virus

keyword

rsa.misc.vm_target

VMWare Target VMWARE only varaible.

keyword

rsa.misc.vpnid

keyword

rsa.misc.vsys

This key captures Virtual System Name

keyword

rsa.misc.vuln_ref

This key captures the Vulnerability Reference details

keyword

rsa.misc.workspace

This key captures Workspace Description

keyword

rsa.network.ad_computer_dst

Deprecated, use host.dst

keyword

rsa.network.addr

keyword

rsa.network.alias_host

This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

keyword

rsa.network.dinterface

This key should only be used when it’s a Destination Interface

keyword

rsa.network.dmask

This key is used for Destionation Device network mask

keyword

rsa.network.dns_a_record

keyword

rsa.network.dns_cname_record

keyword

rsa.network.dns_id

keyword

rsa.network.dns_opcode

keyword

rsa.network.dns_ptr_record

keyword

rsa.network.dns_resp

keyword

rsa.network.dns_type

keyword

rsa.network.domain

keyword

rsa.network.domain1

keyword

rsa.network.eth_host

Deprecated, use alias.mac

keyword

rsa.network.eth_type

This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

long

rsa.network.faddr

keyword

rsa.network.fhost

keyword

rsa.network.fport

keyword

rsa.network.gateway

This key is used to capture the IP Address of the gateway

keyword

rsa.network.host_dst

This key should only be used when it’s a Destination Hostname

keyword

rsa.network.host_orig

This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

keyword

rsa.network.host_type

keyword

rsa.network.icmp_code

This key is used to capture the ICMP code only

long

rsa.network.icmp_type

This key is used to capture the ICMP type only

long

rsa.network.interface

This key should be used when the source or destination context of an interface is not clear

keyword

rsa.network.ip_proto

This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

long

rsa.network.laddr

keyword

rsa.network.lhost

keyword

rsa.network.linterface

keyword

rsa.network.mask

This key is used to capture the device network IPmask.

keyword

rsa.network.netname

This key is used to capture the network name associated with an IP range. This is configured by the end user.

keyword

rsa.network.network_port

Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

long

rsa.network.network_service

This is used to capture layer 7 protocols/service names

keyword

rsa.network.origin

keyword

rsa.network.packet_length

keyword

rsa.network.paddr

Deprecated

ip

rsa.network.phost

keyword

rsa.network.port

This key should only be used to capture a Network Port when the directionality is not clear

long

rsa.network.protocol_detail

This key should be used to capture additional protocol information

keyword

rsa.network.remote_domain_id

keyword

rsa.network.rpayload

This key is used to capture the total number of payload bytes seen in the retransmitted packets.

keyword

rsa.network.sinterface

This key should only be used when it’s a Source Interface

keyword

rsa.network.smask

This key is used for capturing source Network Mask

keyword

rsa.network.vlan

This key should only be used to capture the ID of the Virtual LAN

long

rsa.network.vlan_name

This key should only be used to capture the name of the Virtual LAN

keyword

rsa.network.zone

This key should be used when the source or destination context of a Zone is not clear

keyword

rsa.network.zone_dst

This key should only be used when it’s a Destination Zone.

keyword

rsa.network.zone_src

This key should only be used when it’s a Source Zone.

keyword

rsa.physical.org_dst

This is used to capture the destination organization based on the GEOPIP Maxmind database.

keyword

rsa.physical.org_src

This is used to capture the source organization based on the GEOPIP Maxmind database.

keyword

rsa.storage.disk_volume

A unique name assigned to logical units (volumes) within a physical disk

keyword

rsa.storage.lun

Logical Unit Number.This key is a very useful concept in Storage.

keyword

rsa.storage.pwwn

This uniquely identifies a port on a HBA.

keyword

rsa.threat.alert

This key is used to capture name of the alert

keyword

rsa.threat.threat_category

This key captures Threat Name/Threat Category/Categorization of alert

keyword

rsa.threat.threat_desc

This key is used to capture the threat description from the session directly or inferred

keyword

rsa.threat.threat_source

This key is used to capture source of the threat

keyword

rsa.time.date

keyword

rsa.time.datetime

keyword

rsa.time.day

keyword

rsa.time.duration_str

A text string version of the duration

keyword

rsa.time.duration_time

This key is used to capture the normalized duration/lifetime in seconds.

double

rsa.time.effective_time

This key is the effective time referenced by an individual event in a Standard Timestamp format

date

rsa.time.endtime

This key is used to capture the End time mentioned in a session in a standard form

date

rsa.time.event_queue_time

This key is the Time that the event was queued.

date

rsa.time.event_time

This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

date

rsa.time.event_time_str

This key is used to capture the incomplete time mentioned in a session as a string

keyword

rsa.time.eventtime

keyword

rsa.time.expire_time

This key is the timestamp that explicitly refers to an expiration.

date

rsa.time.expire_time_str

This key is used to capture incomplete timestamp that explicitly refers to an expiration.

keyword

rsa.time.gmtdate

keyword

rsa.time.gmttime

keyword

rsa.time.hour

keyword

rsa.time.min

keyword

rsa.time.month

keyword

rsa.time.p_date

keyword

rsa.time.p_month

keyword

rsa.time.p_time

keyword

rsa.time.p_time1

keyword

rsa.time.p_time2

keyword

rsa.time.p_year

keyword

rsa.time.process_time

Deprecated, use duration.time

keyword

rsa.time.recorded_time

The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

date

rsa.time.stamp

Deprecated key defined only in table map.

date

rsa.time.starttime

This key is used to capture the Start time mentioned in a session in a standard form

date

rsa.time.timestamp

keyword

rsa.time.timezone

This key is used to capture the timezone of the Event Time

keyword

rsa.time.tzone

keyword

rsa.time.year

keyword

rsa.web.alias_host

keyword

rsa.web.cn_asn_dst

keyword

rsa.web.cn_rpackets

keyword

rsa.web.fqdn

Fully Qualified Domain Names

keyword

rsa.web.p_url

keyword

rsa.web.p_user_agent

keyword

rsa.web.p_web_cookie

keyword

rsa.web.p_web_method

keyword

rsa.web.p_web_referer

keyword

rsa.web.remote_domain

keyword

rsa.web.reputation_num

Reputation Number of an entity. Typically used for Web Domains

double

rsa.web.urlpage

keyword

rsa.web.urlroot

keyword

rsa.web.web_cookie

This key is used to capture the Web cookies specifically.

keyword

rsa.web.web_extension_tmp

keyword

rsa.web.web_page

keyword

rsa.web.web_ref_domain

Web referer’s domain

keyword

rsa.web.web_ref_page

This key captures Web referer’s page information

keyword

rsa.web.web_ref_query

This key captures Web referer’s query portion of the URL

keyword

rsa.web.web_ref_root

Web referer’s root URL path

keyword

rsa.wireless.access_point

This key is used to capture the access point name.

keyword

rsa.wireless.wlan_channel

This is used to capture the channel names

long

rsa.wireless.wlan_name

This key captures either WLAN number/name

keyword

rsa.wireless.wlan_ssid

This key is used to capture the ssid of a Wireless Session

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

0.21.1

Bug fix (View pull request)
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

0.21.0

Enhancement (View pull request)
Allow @custom pipeline access to event.original without setting preserve_original_event.

0.20.0

Enhancement (View pull request)
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

0.19.3

Enhancement (View pull request)
Fix kibana.version syntax in manifest.

0.19.2

Enhancement (View pull request)
Changed owners

0.19.1

Bug fix (View pull request)
Fix exclude_files pattern.

0.19.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

0.18.0

Enhancement (View pull request)
ECS version updated to 8.10.0.

0.17.0

Enhancement (View pull request)
Update package to ECS 8.9.0.

0.16.0

Enhancement (View pull request)
Ensure event.kind is correctly set for pipeline errors.

0.15.0

Enhancement (View pull request)
Update package to ECS 8.8.0.

0.14.0

Enhancement (View pull request)
Update package-spec version to 2.7.0.

0.13.0

Enhancement (View pull request)
Update package to ECS 8.7.0.

0.12.1

Enhancement (View pull request)
Added categories and/or subcategories.

0.12.0

Enhancement (View pull request)
Update package to ECS 8.6.0.

0.11.1

Bug fix (View pull request)
Update docs to match field definitions.

0.11.0

Enhancement (View pull request)
Update package to ECS 8.5.0.

0.10.2

Bug fix (View pull request)
Remove duplicate fields.

0.10.1

Enhancement (View pull request)
Use ECS geo.location definition.

0.10.0

Enhancement (View pull request)
Update package to ECS 8.4.0

0.9.1

Enhancement (View pull request)
Added link to vendor documentation in readme.md

0.9.0

Enhancement (View pull request)
Update package to ECS 8.3.0.

0.8.1

Bug fix (View pull request)
Format host.mac as per ECS.

0.8.0

Enhancement (View pull request)
Update to ECS 8.2.0

0.7.0

Enhancement (View pull request)
Update to ECS 8.0.0

0.6.1

Bug fix (View pull request)
Regenerate test files using the new GeoIP database

0.6.0

Enhancement (View pull request)
Add 8.0.0 version constraint

0.5.4

Enhancement (View pull request)
Uniform with guidelines

0.5.3

Enhancement (View pull request)
Update Title and Description.

0.5.2

Bug fix (View pull request)
Fixed a bug that prevents the package from working in 7.16.

0.5.1

Bug fix (View pull request)
Fix logic that checks for the forwarded tag

0.5.0

Enhancement (View pull request)
Update to ECS 1.12.0

0.4.3

Bug fix (View pull request)
Requires version 7.14.1 of the stack

0.4.2

Enhancement (View pull request)
Convert to generated ECS fields

0.4.1

Enhancement (View pull request)
update to ECS 1.11.0

0.4.0

Enhancement (View pull request)
Update integration description

0.3.0

Enhancement (View pull request)
Set "event.module" and "event.dataset"

0.2.0

Enhancement (View pull request)
update to ECS 1.10.0 and add event.original options

0.1.4

Enhancement (View pull request)
update to ECS 1.9.0

0.1.0

Enhancement (View pull request)
initial release