-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
Copy pathfields.common.yml
123 lines (104 loc) · 3.31 KB
/
fields.common.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
- key: common
title: Common
description: >
Contains common fields available in all event types.
fields:
- name: event.module
description: >
The name of the module that generated the event.
- name: event.action
type: keyword
example: logged-in
description: >
Action describes the change that triggered the event.
For the file integrity module the possible values are:
attributes_modified, created, deleted, updated, moved, and config_change.
- name: file
type: group
description: File attributes.
fields:
- name: path
type: text
description: The path to the file.
multi_fields:
- name: raw
type: keyword
description: >
The path to the file. This is a non-analyzed field that is useful
for aggregations.
- name: target_path
type: keyword
description: The target path for symlinks.
- name: type
type: keyword
description: The file type (file, dir, or symlink).
- name: device
type: keyword
description: The device.
- name: inode
type: keyword
description: The inode representing the file in the filesystem.
- name: uid
type: keyword
description: >
The user ID (UID) or security identifier (SID) of the file owner.
- name: owner
type: keyword
description: The file owner's username.
- name: gid
type: keyword
description: The primary group ID (GID) of the file.
- name: group
type: keyword
description: The primary group name of the file.
- name: mode
type: keyword
example: 0640
description: The mode of the file in octal representation.
- name: setuid
type: boolean
example: true
description: Set if the file has the `setuid` bit set. Omitted otherwise.
- name: setgid
type: boolean
example: true
description: Set if the file has the `setgid` bit set. Omitted otherwise.
- name: size
type: long
description: The file size in bytes (field is only added when `type` is `file`).
- name: mtime
type: date
description: The last modified time of the file (time when content was modified).
- name: ctime
type: date
description: The last change time of the file (time when metadata was changed).
- name: origin
type: text
description: >
An array of strings describing a possible external origin for
this file. For example, the URL it was downloaded from. Only
supported in macOS, via the kMDItemWhereFroms attribute.
Omitted if origin information is not available.
multi_fields:
- name: raw
type: keyword
description: >
This is a non-analyzed field that is useful for aggregations on the
origin data.
- name: selinux
type: group
description: The SELinux identity of the file.
fields:
- name: user
type: keyword
description: The owner of the object.
- name: role
type: keyword
description: The object's SELinux role.
- name: domain
type: keyword
description: The object's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The object's SELinux level.