Common fields
editCommon fields
editContains common fields available in all event types.
file fields
editFile attributes.
-
file.setuid
-
type: boolean
example: True
Set if the file has the
setuid
bit set. Omitted otherwise. -
file.setgid
-
type: boolean
example: True
Set if the file has the
setgid
bit set. Omitted otherwise. -
file.origin
-
type: keyword
An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
-
file.origin.raw
-
type: keyword
This is a non-analyzed field that is useful for aggregations on the origin data.
selinux fields
editThe SELinux identity of the file.
-
file.selinux.user
-
type: keyword
The owner of the object.
-
file.selinux.role
-
type: keyword
The object’s SELinux role.
-
file.selinux.domain
-
type: keyword
The object’s SELinux domain or type.
-
file.selinux.level
-
type: keyword
example: s0
The object’s SELinux level.
user fields
editUser information.
audit fields
editAudit user information.
-
user.audit.id
-
type: keyword
Audit user ID.
-
user.audit.name
-
type: keyword
Audit user name.
effective fields
editEffective user information.
-
user.effective.id
-
type: keyword
Effective user ID.
-
user.effective.name
-
type: keyword
Effective user name.
group fields
editEffective group information.
-
user.effective.group.id
-
type: keyword
Effective group ID.
-
user.effective.group.name
-
type: keyword
Effective group name.
filesystem fields
editFilesystem user information.
-
user.filesystem.id
-
type: keyword
Filesystem user ID.
-
user.filesystem.name
-
type: keyword
Filesystem user name.
group fields
editFilesystem group information.
-
user.filesystem.group.id
-
type: keyword
Filesystem group ID.
-
user.filesystem.group.name
-
type: keyword
Filesystem group name.
saved fields
editSaved user information.
-
user.saved.id
-
type: keyword
Saved user ID.
-
user.saved.name
-
type: keyword
Saved user name.
group fields
editSaved group information.
-
user.saved.group.id
-
type: keyword
Saved group ID.
-
user.saved.group.name
-
type: keyword
Saved group name.