⚠️ Outdated Version: You are viewing ECS version 1.12, which is outdated. View the latest version (9.0)

ECS Version:

Threat

Fields to classify events and alerts according to a threat taxonomy.

Fields

Field Summary

Field	Type	Level	Description
`threat.enrichments`	nested	Extended	List of objects containing indicators enriching the event.
`threat.enrichments.indicator`	object	Extended	Object containing indicators enriching the event.
`threat.enrichments.indicator.as.number`	long	Extended	Unique number allocated to the autonomous system.
`threat.enrichments.indicator.as.organization.name`	keyword	Extended	Organization name.
`threat.enrichments.indicator.as.organization.name.text`	match_only_text	Extended	Organization name.
`threat.enrichments.indicator.confidence`	keyword	Extended	Indicator confidence rating
`threat.enrichments.indicator.description`	keyword	Extended	Indicator description
`threat.enrichments.indicator.email.address`	keyword	Extended	Indicator email address
`threat.enrichments.indicator.file.accessed`	date	Extended	Last time the file was accessed.
`threat.enrichments.indicator.file.attributes`	keyword	Extended	Array of file attributes.
`threat.enrichments.indicator.file.code_signature.digest_algorithm`	keyword	Extended	Hashing algorithm used to sign the process.
`threat.enrichments.indicator.file.code_signature.exists`	boolean	Core	Boolean to capture if a signature is present.
`threat.enrichments.indicator.file.code_signature.signing_id`	keyword	Extended	The identifier used to sign the process.
`threat.enrichments.indicator.file.code_signature.status`	keyword	Extended	Additional information about the certificate status.
`threat.enrichments.indicator.file.code_signature.subject_name`	keyword	Core	Subject name of the code signer
`threat.enrichments.indicator.file.code_signature.team_id`	keyword	Extended	The team identifier used to sign the process.
`threat.enrichments.indicator.file.code_signature.timestamp`	date	Extended	When the signature was generated and signed.
`threat.enrichments.indicator.file.code_signature.trusted`	boolean	Extended	Stores the trust status of the certificate chain.
`threat.enrichments.indicator.file.code_signature.valid`	boolean	Extended	Boolean to capture if the digital signature is verified against the binary content.
`threat.enrichments.indicator.file.created`	date	Extended	File creation time.
`threat.enrichments.indicator.file.ctime`	date	Extended	Last time the file attributes or metadata changed.
`threat.enrichments.indicator.file.device`	keyword	Extended	Device that is the source of the file.
`threat.enrichments.indicator.file.directory`	keyword	Extended	Directory where the file is located.
`threat.enrichments.indicator.file.drive_letter`	keyword	Extended	Drive letter where the file is located.
`threat.enrichments.indicator.file.elf.architecture`	keyword	Extended	Machine architecture of the ELF file.
`threat.enrichments.indicator.file.elf.byte_order`	keyword	Extended	Byte sequence of ELF file.
`threat.enrichments.indicator.file.elf.cpu_type`	keyword	Extended	CPU type of the ELF file.
`threat.enrichments.indicator.file.elf.creation_date`	date	Extended	Build or compile date.
`threat.enrichments.indicator.file.elf.exports`	flattened	Extended	List of exported element names and types.
`threat.enrichments.indicator.file.elf.header.abi_version`	keyword	Extended	Version of the ELF Application Binary Interface (ABI).
`threat.enrichments.indicator.file.elf.header.class`	keyword	Extended	Header class of the ELF file.
`threat.enrichments.indicator.file.elf.header.data`	keyword	Extended	Data table of the ELF header.
`threat.enrichments.indicator.file.elf.header.entrypoint`	long	Extended	Header entrypoint of the ELF file.
`threat.enrichments.indicator.file.elf.header.object_version`	keyword	Extended	"0x1" for original ELF files.
`threat.enrichments.indicator.file.elf.header.os_abi`	keyword	Extended	Application Binary Interface (ABI) of the Linux OS.
`threat.enrichments.indicator.file.elf.header.type`	keyword	Extended	Header type of the ELF file.
`threat.enrichments.indicator.file.elf.header.version`	keyword	Extended	Version of the ELF header.
`threat.enrichments.indicator.file.elf.imports`	flattened	Extended	List of imported element names and types.
`threat.enrichments.indicator.file.elf.sections`	nested	Extended	Section information of the ELF file.
`threat.enrichments.indicator.file.elf.sections.chi2`	long	Extended	Chi-square probability distribution of the section.
`threat.enrichments.indicator.file.elf.sections.entropy`	long	Extended	Shannon entropy calculation from the section.
`threat.enrichments.indicator.file.elf.sections.flags`	keyword	Extended	ELF Section List flags.
`threat.enrichments.indicator.file.elf.sections.name`	keyword	Extended	ELF Section List name.
`threat.enrichments.indicator.file.elf.sections.physical_offset`	keyword	Extended	ELF Section List offset.
`threat.enrichments.indicator.file.elf.sections.physical_size`	long	Extended	ELF Section List physical size.
`threat.enrichments.indicator.file.elf.sections.type`	keyword	Extended	ELF Section List type.
`threat.enrichments.indicator.file.elf.sections.virtual_address`	long	Extended	ELF Section List virtual address.
`threat.enrichments.indicator.file.elf.sections.virtual_size`	long	Extended	ELF Section List virtual size.
`threat.enrichments.indicator.file.elf.segments`	nested	Extended	ELF object segment list.
`threat.enrichments.indicator.file.elf.segments.sections`	keyword	Extended	ELF object segment sections.
`threat.enrichments.indicator.file.elf.segments.type`	keyword	Extended	ELF object segment type.
`threat.enrichments.indicator.file.elf.shared_libraries`	keyword	Extended	List of shared libraries used by this ELF object.
`threat.enrichments.indicator.file.elf.telfhash`	keyword	Extended	telfhash hash for ELF file.
`threat.enrichments.indicator.file.extension`	keyword	Extended	File extension, excluding the leading dot.
`threat.enrichments.indicator.file.fork_name`	keyword	Extended	A fork is additional data associated with a filesystem object.
`threat.enrichments.indicator.file.gid`	keyword	Extended	Primary group ID (GID) of the file.
`threat.enrichments.indicator.file.group`	keyword	Extended	Primary group name of the file.
`threat.enrichments.indicator.file.hash.md5`	keyword	Extended	MD5 hash.
`threat.enrichments.indicator.file.hash.sha1`	keyword	Extended	SHA1 hash.
`threat.enrichments.indicator.file.hash.sha256`	keyword	Extended	SHA256 hash.
`threat.enrichments.indicator.file.hash.sha512`	keyword	Extended	SHA512 hash.
`threat.enrichments.indicator.file.hash.ssdeep`	keyword	Extended	SSDEEP hash.
`threat.enrichments.indicator.file.inode`	keyword	Extended	Inode representing the file in the filesystem.
`threat.enrichments.indicator.file.mime_type`	keyword	Extended	Media type of file, document, or arrangement of bytes.
`threat.enrichments.indicator.file.mode`	keyword	Extended	Mode of the file in octal representation.
`threat.enrichments.indicator.file.mtime`	date	Extended	Last time the file content was modified.
`threat.enrichments.indicator.file.name`	keyword	Extended	Name of the file including the extension, without the directory.
`threat.enrichments.indicator.file.owner`	keyword	Extended	File owner's username.
`threat.enrichments.indicator.file.path`	keyword	Extended	Full path to the file, including the file name.
`threat.enrichments.indicator.file.path.text`	match_only_text	Extended	Full path to the file, including the file name.
`threat.enrichments.indicator.file.pe.architecture`	keyword	Extended	CPU architecture target for the file.
`threat.enrichments.indicator.file.pe.company`	keyword	Extended	Internal company name of the file, provided at compile-time.
`threat.enrichments.indicator.file.pe.description`	keyword	Extended	Internal description of the file, provided at compile-time.
`threat.enrichments.indicator.file.pe.file_version`	keyword	Extended	Process name.
`threat.enrichments.indicator.file.pe.imphash`	keyword	Extended	A hash of the imports in a PE file.
`threat.enrichments.indicator.file.pe.original_file_name`	keyword	Extended	Internal name of the file, provided at compile-time.
`threat.enrichments.indicator.file.pe.product`	keyword	Extended	Internal product name of the file, provided at compile-time.
`threat.enrichments.indicator.file.size`	long	Extended	File size in bytes.
`threat.enrichments.indicator.file.target_path`	keyword	Extended	Target path for symlinks.
`threat.enrichments.indicator.file.target_path.text`	match_only_text	Extended	Target path for symlinks.
`threat.enrichments.indicator.file.type`	keyword	Extended	File type (file, dir, or symlink).
`threat.enrichments.indicator.file.uid`	keyword	Extended	The user ID (UID) or security identifier (SID) of the file owner.
`threat.enrichments.indicator.file.x509.alternative_names`	keyword	Extended	List of subject alternative names (SAN).
`threat.enrichments.indicator.file.x509.issuer.common_name`	keyword	Extended	List of common name (CN) of issuing certificate authority.
`threat.enrichments.indicator.file.x509.issuer.country`	keyword	Extended	List of country (C) codes
`threat.enrichments.indicator.file.x509.issuer.distinguished_name`	keyword	Extended	Distinguished name (DN) of issuing certificate authority.
`threat.enrichments.indicator.file.x509.issuer.locality`	keyword	Extended	List of locality names (L)
`threat.enrichments.indicator.file.x509.issuer.organization`	keyword	Extended	List of organizations (O) of issuing certificate authority.
`threat.enrichments.indicator.file.x509.issuer.organizational_unit`	keyword	Extended	List of organizational units (OU) of issuing certificate authority.
`threat.enrichments.indicator.file.x509.issuer.state_or_province`	keyword	Extended	List of state or province names (ST, S, or P)
`threat.enrichments.indicator.file.x509.not_after`	date	Extended	Time at which the certificate is no longer considered valid.
`threat.enrichments.indicator.file.x509.not_before`	date	Extended	Time at which the certificate is first considered valid.
`threat.enrichments.indicator.file.x509.public_key_algorithm`	keyword	Extended	Algorithm used to generate the public key.
`threat.enrichments.indicator.file.x509.public_key_curve`	keyword	Extended	The curve used by the elliptic curve public key algorithm. This is algorithm specific.
`threat.enrichments.indicator.file.x509.public_key_exponent`	long	Extended	Exponent used to derive the public key. This is algorithm specific.
`threat.enrichments.indicator.file.x509.public_key_size`	long	Extended	The size of the public key space in bits.
`threat.enrichments.indicator.file.x509.serial_number`	keyword	Extended	Unique serial number issued by the certificate authority.
`threat.enrichments.indicator.file.x509.signature_algorithm`	keyword	Extended	Identifier for certificate signature algorithm.
`threat.enrichments.indicator.file.x509.subject.common_name`	keyword	Extended	List of common names (CN) of subject.
`threat.enrichments.indicator.file.x509.subject.country`	keyword	Extended	List of country (C) code
`threat.enrichments.indicator.file.x509.subject.distinguished_name`	keyword	Extended	Distinguished name (DN) of the certificate subject entity.
`threat.enrichments.indicator.file.x509.subject.locality`	keyword	Extended	List of locality names (L)
`threat.enrichments.indicator.file.x509.subject.organization`	keyword	Extended	List of organizations (O) of subject.
`threat.enrichments.indicator.file.x509.subject.organizational_unit`	keyword	Extended	List of organizational units (OU) of subject.
`threat.enrichments.indicator.file.x509.subject.state_or_province`	keyword	Extended	List of state or province names (ST, S, or P)
`threat.enrichments.indicator.file.x509.version_number`	keyword	Extended	Version of x509 format.
`threat.enrichments.indicator.first_seen`	date	Extended	Date/time indicator was first reported.
`threat.enrichments.indicator.geo.city_name`	keyword	Core	City name.
`threat.enrichments.indicator.geo.continent_code`	keyword	Core	Continent code.
`threat.enrichments.indicator.geo.continent_name`	keyword	Core	Name of the continent.
`threat.enrichments.indicator.geo.country_iso_code`	keyword	Core	Country ISO code.
`threat.enrichments.indicator.geo.country_name`	keyword	Core	Country name.
`threat.enrichments.indicator.geo.location`	geo_point	Core	Longitude and latitude.
`threat.enrichments.indicator.geo.name`	keyword	Extended	User-defined description of a location.
`threat.enrichments.indicator.geo.postal_code`	keyword	Core	Postal code.
`threat.enrichments.indicator.geo.region_iso_code`	keyword	Core	Region ISO code.
`threat.enrichments.indicator.geo.region_name`	keyword	Core	Region name.
`threat.enrichments.indicator.geo.timezone`	keyword	Core	Time zone.
`threat.enrichments.indicator.ip`	ip	Extended	Indicator IP address
`threat.enrichments.indicator.last_seen`	date	Extended	Date/time indicator was last reported.
`threat.enrichments.indicator.marking.tlp`	keyword	Extended	Indicator TLP marking
`threat.enrichments.indicator.modified_at`	date	Extended	Date/time indicator was last updated.
`threat.enrichments.indicator.port`	long	Extended	Indicator port
`threat.enrichments.indicator.provider`	keyword	Extended	Indicator provider
`threat.enrichments.indicator.reference`	keyword	Extended	Indicator reference URL
`threat.enrichments.indicator.registry.data.bytes`	keyword	Extended	Original bytes written with base64 encoding.
`threat.enrichments.indicator.registry.data.strings`	wildcard	Core	List of strings representing what was written to the registry.
`threat.enrichments.indicator.registry.data.type`	keyword	Core	Standard registry type for encoding contents
`threat.enrichments.indicator.registry.hive`	keyword	Core	Abbreviated name for the hive.
`threat.enrichments.indicator.registry.key`	keyword	Core	Hive-relative path of keys.
`threat.enrichments.indicator.registry.path`	keyword	Core	Full path, including hive, key and value
`threat.enrichments.indicator.registry.value`	keyword	Core	Name of the value written.
`threat.enrichments.indicator.scanner_stats`	long	Extended	Scanner statistics
`threat.enrichments.indicator.sightings`	long	Extended	Number of times indicator observed
`threat.enrichments.indicator.type`	keyword	Extended	Type of indicator
`threat.enrichments.indicator.url.domain`	keyword	Extended	Domain of the url.
`threat.enrichments.indicator.url.extension`	keyword	Extended	File extension from the request url, excluding the leading dot.
`threat.enrichments.indicator.url.fragment`	keyword	Extended	Portion of the url after the `#`.
`threat.enrichments.indicator.url.full`	wildcard	Extended	Full unparsed URL.
`threat.enrichments.indicator.url.full.text`	match_only_text	Extended	Full unparsed URL.
`threat.enrichments.indicator.url.original`	wildcard	Extended	Unmodified original url as seen in the event source.
`threat.enrichments.indicator.url.original.text`	match_only_text	Extended	Unmodified original url as seen in the event source.
`threat.enrichments.indicator.url.password`	keyword	Extended	Password of the request.
`threat.enrichments.indicator.url.path`	wildcard	Extended	Path of the request, such as "/search".
`threat.enrichments.indicator.url.port`	long	Extended	Port of the request, such as 443.
`threat.enrichments.indicator.url.query`	keyword	Extended	Query string of the request.
`threat.enrichments.indicator.url.registered_domain`	keyword	Extended	The highest registered url domain, stripped of the subdomain.
`threat.enrichments.indicator.url.scheme`	keyword	Extended	Scheme of the url.
`threat.enrichments.indicator.url.subdomain`	keyword	Extended	The subdomain of the domain.
`threat.enrichments.indicator.url.top_level_domain`	keyword	Extended	The effective top level domain (com, org, net, co.uk).
`threat.enrichments.indicator.url.username`	keyword	Extended	Username of the request.
`threat.enrichments.indicator.x509.alternative_names`	keyword	Extended	List of subject alternative names (SAN).
`threat.enrichments.indicator.x509.issuer.common_name`	keyword	Extended	List of common name (CN) of issuing certificate authority.
`threat.enrichments.indicator.x509.issuer.country`	keyword	Extended	List of country (C) codes
`threat.enrichments.indicator.x509.issuer.distinguished_name`	keyword	Extended	Distinguished name (DN) of issuing certificate authority.
`threat.enrichments.indicator.x509.issuer.locality`	keyword	Extended	List of locality names (L)
`threat.enrichments.indicator.x509.issuer.organization`	keyword	Extended	List of organizations (O) of issuing certificate authority.
`threat.enrichments.indicator.x509.issuer.organizational_unit`	keyword	Extended	List of organizational units (OU) of issuing certificate authority.
`threat.enrichments.indicator.x509.issuer.state_or_province`	keyword	Extended	List of state or province names (ST, S, or P)
`threat.enrichments.indicator.x509.not_after`	date	Extended	Time at which the certificate is no longer considered valid.
`threat.enrichments.indicator.x509.not_before`	date	Extended	Time at which the certificate is first considered valid.
`threat.enrichments.indicator.x509.public_key_algorithm`	keyword	Extended	Algorithm used to generate the public key.
`threat.enrichments.indicator.x509.public_key_curve`	keyword	Extended	The curve used by the elliptic curve public key algorithm. This is algorithm specific.
`threat.enrichments.indicator.x509.public_key_exponent`	long	Extended	Exponent used to derive the public key. This is algorithm specific.
`threat.enrichments.indicator.x509.public_key_size`	long	Extended	The size of the public key space in bits.
`threat.enrichments.indicator.x509.serial_number`	keyword	Extended	Unique serial number issued by the certificate authority.
`threat.enrichments.indicator.x509.signature_algorithm`	keyword	Extended	Identifier for certificate signature algorithm.
`threat.enrichments.indicator.x509.subject.common_name`	keyword	Extended	List of common names (CN) of subject.
`threat.enrichments.indicator.x509.subject.country`	keyword	Extended	List of country (C) code
`threat.enrichments.indicator.x509.subject.distinguished_name`	keyword	Extended	Distinguished name (DN) of the certificate subject entity.
`threat.enrichments.indicator.x509.subject.locality`	keyword	Extended	List of locality names (L)
`threat.enrichments.indicator.x509.subject.organization`	keyword	Extended	List of organizations (O) of subject.
`threat.enrichments.indicator.x509.subject.organizational_unit`	keyword	Extended	List of organizational units (OU) of subject.
`threat.enrichments.indicator.x509.subject.state_or_province`	keyword	Extended	List of state or province names (ST, S, or P)
`threat.enrichments.indicator.x509.version_number`	keyword	Extended	Version of x509 format.
`threat.enrichments.matched.atomic`	keyword	Extended	Matched indicator value
`threat.enrichments.matched.field`	keyword	Extended	Matched indicator field
`threat.enrichments.matched.id`	keyword	Extended	Matched indicator identifier
`threat.enrichments.matched.index`	keyword	Extended	Matched indicator index
`threat.enrichments.matched.type`	keyword	Extended	Type of indicator match
`threat.framework`	keyword	Extended	Threat classification framework.
`threat.group.alias`	keyword	Extended	Alias of the group.
`threat.group.id`	keyword	Extended	ID of the group.
`threat.group.name`	keyword	Extended	Name of the group.
`threat.group.reference`	keyword	Extended	Reference URL of the group.
`threat.indicator.as.number`	long	Extended	Unique number allocated to the autonomous system.
`threat.indicator.as.organization.name`	keyword	Extended	Organization name.
`threat.indicator.as.organization.name.text`	match_only_text	Extended	Organization name.
`threat.indicator.confidence`	keyword	Extended	Indicator confidence rating
`threat.indicator.description`	keyword	Extended	Indicator description
`threat.indicator.email.address`	keyword	Extended	Indicator email address
`threat.indicator.file.accessed`	date	Extended	Last time the file was accessed.
`threat.indicator.file.attributes`	keyword	Extended	Array of file attributes.
`threat.indicator.file.code_signature.digest_algorithm`	keyword	Extended	Hashing algorithm used to sign the process.
`threat.indicator.file.code_signature.exists`	boolean	Core	Boolean to capture if a signature is present.
`threat.indicator.file.code_signature.signing_id`	keyword	Extended	The identifier used to sign the process.
`threat.indicator.file.code_signature.status`	keyword	Extended	Additional information about the certificate status.
`threat.indicator.file.code_signature.subject_name`	keyword	Core	Subject name of the code signer
`threat.indicator.file.code_signature.team_id`	keyword	Extended	The team identifier used to sign the process.
`threat.indicator.file.code_signature.timestamp`	date	Extended	When the signature was generated and signed.
`threat.indicator.file.code_signature.trusted`	boolean	Extended	Stores the trust status of the certificate chain.
`threat.indicator.file.code_signature.valid`	boolean	Extended	Boolean to capture if the digital signature is verified against the binary content.
`threat.indicator.file.created`	date	Extended	File creation time.
`threat.indicator.file.ctime`	date	Extended	Last time the file attributes or metadata changed.
`threat.indicator.file.device`	keyword	Extended	Device that is the source of the file.
`threat.indicator.file.directory`	keyword	Extended	Directory where the file is located.
`threat.indicator.file.drive_letter`	keyword	Extended	Drive letter where the file is located.
`threat.indicator.file.elf.architecture`	keyword	Extended	Machine architecture of the ELF file.
`threat.indicator.file.elf.byte_order`	keyword	Extended	Byte sequence of ELF file.
`threat.indicator.file.elf.cpu_type`	keyword	Extended	CPU type of the ELF file.
`threat.indicator.file.elf.creation_date`	date	Extended	Build or compile date.
`threat.indicator.file.elf.exports`	flattened	Extended	List of exported element names and types.
`threat.indicator.file.elf.header.abi_version`	keyword	Extended	Version of the ELF Application Binary Interface (ABI).
`threat.indicator.file.elf.header.class`	keyword	Extended	Header class of the ELF file.
`threat.indicator.file.elf.header.data`	keyword	Extended	Data table of the ELF header.
`threat.indicator.file.elf.header.entrypoint`	long	Extended	Header entrypoint of the ELF file.
`threat.indicator.file.elf.header.object_version`	keyword	Extended	"0x1" for original ELF files.
`threat.indicator.file.elf.header.os_abi`	keyword	Extended	Application Binary Interface (ABI) of the Linux OS.
`threat.indicator.file.elf.header.type`	keyword	Extended	Header type of the ELF file.
`threat.indicator.file.elf.header.version`	keyword	Extended	Version of the ELF header.
`threat.indicator.file.elf.imports`	flattened	Extended	List of imported element names and types.
`threat.indicator.file.elf.sections`	nested	Extended	Section information of the ELF file.
`threat.indicator.file.elf.sections.chi2`	long	Extended	Chi-square probability distribution of the section.
`threat.indicator.file.elf.sections.entropy`	long	Extended	Shannon entropy calculation from the section.
`threat.indicator.file.elf.sections.flags`	keyword	Extended	ELF Section List flags.
`threat.indicator.file.elf.sections.name`	keyword	Extended	ELF Section List name.
`threat.indicator.file.elf.sections.physical_offset`	keyword	Extended	ELF Section List offset.
`threat.indicator.file.elf.sections.physical_size`	long	Extended	ELF Section List physical size.
`threat.indicator.file.elf.sections.type`	keyword	Extended	ELF Section List type.
`threat.indicator.file.elf.sections.virtual_address`	long	Extended	ELF Section List virtual address.
`threat.indicator.file.elf.sections.virtual_size`	long	Extended	ELF Section List virtual size.
`threat.indicator.file.elf.segments`	nested	Extended	ELF object segment list.
`threat.indicator.file.elf.segments.sections`	keyword	Extended	ELF object segment sections.
`threat.indicator.file.elf.segments.type`	keyword	Extended	ELF object segment type.
`threat.indicator.file.elf.shared_libraries`	keyword	Extended	List of shared libraries used by this ELF object.
`threat.indicator.file.elf.telfhash`	keyword	Extended	telfhash hash for ELF file.
`threat.indicator.file.extension`	keyword	Extended	File extension, excluding the leading dot.
`threat.indicator.file.fork_name`	keyword	Extended	A fork is additional data associated with a filesystem object.
`threat.indicator.file.gid`	keyword	Extended	Primary group ID (GID) of the file.
`threat.indicator.file.group`	keyword	Extended	Primary group name of the file.
`threat.indicator.file.hash.md5`	keyword	Extended	MD5 hash.
`threat.indicator.file.hash.sha1`	keyword	Extended	SHA1 hash.
`threat.indicator.file.hash.sha256`	keyword	Extended	SHA256 hash.
`threat.indicator.file.hash.sha512`	keyword	Extended	SHA512 hash.
`threat.indicator.file.hash.ssdeep`	keyword	Extended	SSDEEP hash.
`threat.indicator.file.inode`	keyword	Extended	Inode representing the file in the filesystem.
`threat.indicator.file.mime_type`	keyword	Extended	Media type of file, document, or arrangement of bytes.
`threat.indicator.file.mode`	keyword	Extended	Mode of the file in octal representation.
`threat.indicator.file.mtime`	date	Extended	Last time the file content was modified.
`threat.indicator.file.name`	keyword	Extended	Name of the file including the extension, without the directory.
`threat.indicator.file.owner`	keyword	Extended	File owner's username.
`threat.indicator.file.path`	keyword	Extended	Full path to the file, including the file name.
`threat.indicator.file.path.text`	match_only_text	Extended	Full path to the file, including the file name.
`threat.indicator.file.pe.architecture`	keyword	Extended	CPU architecture target for the file.
`threat.indicator.file.pe.company`	keyword	Extended	Internal company name of the file, provided at compile-time.
`threat.indicator.file.pe.description`	keyword	Extended	Internal description of the file, provided at compile-time.
`threat.indicator.file.pe.file_version`	keyword	Extended	Process name.
`threat.indicator.file.pe.imphash`	keyword	Extended	A hash of the imports in a PE file.
`threat.indicator.file.pe.original_file_name`	keyword	Extended	Internal name of the file, provided at compile-time.
`threat.indicator.file.pe.product`	keyword	Extended	Internal product name of the file, provided at compile-time.
`threat.indicator.file.size`	long	Extended	File size in bytes.
`threat.indicator.file.target_path`	keyword	Extended	Target path for symlinks.
`threat.indicator.file.target_path.text`	match_only_text	Extended	Target path for symlinks.
`threat.indicator.file.type`	keyword	Extended	File type (file, dir, or symlink).
`threat.indicator.file.uid`	keyword	Extended	The user ID (UID) or security identifier (SID) of the file owner.
`threat.indicator.file.x509.alternative_names`	keyword	Extended	List of subject alternative names (SAN).
`threat.indicator.file.x509.issuer.common_name`	keyword	Extended	List of common name (CN) of issuing certificate authority.
`threat.indicator.file.x509.issuer.country`	keyword	Extended	List of country (C) codes
`threat.indicator.file.x509.issuer.distinguished_name`	keyword	Extended	Distinguished name (DN) of issuing certificate authority.
`threat.indicator.file.x509.issuer.locality`	keyword	Extended	List of locality names (L)
`threat.indicator.file.x509.issuer.organization`	keyword	Extended	List of organizations (O) of issuing certificate authority.
`threat.indicator.file.x509.issuer.organizational_unit`	keyword	Extended	List of organizational units (OU) of issuing certificate authority.
`threat.indicator.file.x509.issuer.state_or_province`	keyword	Extended	List of state or province names (ST, S, or P)
`threat.indicator.file.x509.not_after`	date	Extended	Time at which the certificate is no longer considered valid.
`threat.indicator.file.x509.not_before`	date	Extended	Time at which the certificate is first considered valid.
`threat.indicator.file.x509.public_key_algorithm`	keyword	Extended	Algorithm used to generate the public key.
`threat.indicator.file.x509.public_key_curve`	keyword	Extended	The curve used by the elliptic curve public key algorithm. This is algorithm specific.
`threat.indicator.file.x509.public_key_exponent`	long	Extended	Exponent used to derive the public key. This is algorithm specific.
`threat.indicator.file.x509.public_key_size`	long	Extended	The size of the public key space in bits.
`threat.indicator.file.x509.serial_number`	keyword	Extended	Unique serial number issued by the certificate authority.
`threat.indicator.file.x509.signature_algorithm`	keyword	Extended	Identifier for certificate signature algorithm.
`threat.indicator.file.x509.subject.common_name`	keyword	Extended	List of common names (CN) of subject.
`threat.indicator.file.x509.subject.country`	keyword	Extended	List of country (C) code
`threat.indicator.file.x509.subject.distinguished_name`	keyword	Extended	Distinguished name (DN) of the certificate subject entity.
`threat.indicator.file.x509.subject.locality`	keyword	Extended	List of locality names (L)
`threat.indicator.file.x509.subject.organization`	keyword	Extended	List of organizations (O) of subject.
`threat.indicator.file.x509.subject.organizational_unit`	keyword	Extended	List of organizational units (OU) of subject.
`threat.indicator.file.x509.subject.state_or_province`	keyword	Extended	List of state or province names (ST, S, or P)
`threat.indicator.file.x509.version_number`	keyword	Extended	Version of x509 format.
`threat.indicator.first_seen`	date	Extended	Date/time indicator was first reported.
`threat.indicator.geo.city_name`	keyword	Core	City name.
`threat.indicator.geo.continent_code`	keyword	Core	Continent code.
`threat.indicator.geo.continent_name`	keyword	Core	Name of the continent.
`threat.indicator.geo.country_iso_code`	keyword	Core	Country ISO code.
`threat.indicator.geo.country_name`	keyword	Core	Country name.
`threat.indicator.geo.location`	geo_point	Core	Longitude and latitude.
`threat.indicator.geo.name`	keyword	Extended	User-defined description of a location.
`threat.indicator.geo.postal_code`	keyword	Core	Postal code.
`threat.indicator.geo.region_iso_code`	keyword	Core	Region ISO code.
`threat.indicator.geo.region_name`	keyword	Core	Region name.
`threat.indicator.geo.timezone`	keyword	Core	Time zone.
`threat.indicator.ip`	ip	Extended	Indicator IP address
`threat.indicator.last_seen`	date	Extended	Date/time indicator was last reported.
`threat.indicator.marking.tlp`	keyword	Extended	Indicator TLP marking
`threat.indicator.modified_at`	date	Extended	Date/time indicator was last updated.
`threat.indicator.port`	long	Extended	Indicator port
`threat.indicator.provider`	keyword	Extended	Indicator provider
`threat.indicator.reference`	keyword	Extended	Indicator reference URL
`threat.indicator.registry.data.bytes`	keyword	Extended	Original bytes written with base64 encoding.
`threat.indicator.registry.data.strings`	wildcard	Core	List of strings representing what was written to the registry.
`threat.indicator.registry.data.type`	keyword	Core	Standard registry type for encoding contents
`threat.indicator.registry.hive`	keyword	Core	Abbreviated name for the hive.
`threat.indicator.registry.key`	keyword	Core	Hive-relative path of keys.
`threat.indicator.registry.path`	keyword	Core	Full path, including hive, key and value
`threat.indicator.registry.value`	keyword	Core	Name of the value written.
`threat.indicator.scanner_stats`	long	Extended	Scanner statistics
`threat.indicator.sightings`	long	Extended	Number of times indicator observed
`threat.indicator.type`	keyword	Extended	Type of indicator
`threat.indicator.url.domain`	keyword	Extended	Domain of the url.
`threat.indicator.url.extension`	keyword	Extended	File extension from the request url, excluding the leading dot.
`threat.indicator.url.fragment`	keyword	Extended	Portion of the url after the `#`.
`threat.indicator.url.full`	wildcard	Extended	Full unparsed URL.
`threat.indicator.url.full.text`	match_only_text	Extended	Full unparsed URL.
`threat.indicator.url.original`	wildcard	Extended	Unmodified original url as seen in the event source.
`threat.indicator.url.original.text`	match_only_text	Extended	Unmodified original url as seen in the event source.
`threat.indicator.url.password`	keyword	Extended	Password of the request.
`threat.indicator.url.path`	wildcard	Extended	Path of the request, such as "/search".
`threat.indicator.url.port`	long	Extended	Port of the request, such as 443.
`threat.indicator.url.query`	keyword	Extended	Query string of the request.
`threat.indicator.url.registered_domain`	keyword	Extended	The highest registered url domain, stripped of the subdomain.
`threat.indicator.url.scheme`	keyword	Extended	Scheme of the url.
`threat.indicator.url.subdomain`	keyword	Extended	The subdomain of the domain.
`threat.indicator.url.top_level_domain`	keyword	Extended	The effective top level domain (com, org, net, co.uk).
`threat.indicator.url.username`	keyword	Extended	Username of the request.
`threat.indicator.x509.alternative_names`	keyword	Extended	List of subject alternative names (SAN).
`threat.indicator.x509.issuer.common_name`	keyword	Extended	List of common name (CN) of issuing certificate authority.
`threat.indicator.x509.issuer.country`	keyword	Extended	List of country (C) codes
`threat.indicator.x509.issuer.distinguished_name`	keyword	Extended	Distinguished name (DN) of issuing certificate authority.
`threat.indicator.x509.issuer.locality`	keyword	Extended	List of locality names (L)
`threat.indicator.x509.issuer.organization`	keyword	Extended	List of organizations (O) of issuing certificate authority.
`threat.indicator.x509.issuer.organizational_unit`	keyword	Extended	List of organizational units (OU) of issuing certificate authority.
`threat.indicator.x509.issuer.state_or_province`	keyword	Extended	List of state or province names (ST, S, or P)
`threat.indicator.x509.not_after`	date	Extended	Time at which the certificate is no longer considered valid.
`threat.indicator.x509.not_before`	date	Extended	Time at which the certificate is first considered valid.
`threat.indicator.x509.public_key_algorithm`	keyword	Extended	Algorithm used to generate the public key.
`threat.indicator.x509.public_key_curve`	keyword	Extended	The curve used by the elliptic curve public key algorithm. This is algorithm specific.
`threat.indicator.x509.public_key_exponent`	long	Extended	Exponent used to derive the public key. This is algorithm specific.
`threat.indicator.x509.public_key_size`	long	Extended	The size of the public key space in bits.
`threat.indicator.x509.serial_number`	keyword	Extended	Unique serial number issued by the certificate authority.
`threat.indicator.x509.signature_algorithm`	keyword	Extended	Identifier for certificate signature algorithm.
`threat.indicator.x509.subject.common_name`	keyword	Extended	List of common names (CN) of subject.
`threat.indicator.x509.subject.country`	keyword	Extended	List of country (C) code
`threat.indicator.x509.subject.distinguished_name`	keyword	Extended	Distinguished name (DN) of the certificate subject entity.
`threat.indicator.x509.subject.locality`	keyword	Extended	List of locality names (L)
`threat.indicator.x509.subject.organization`	keyword	Extended	List of organizations (O) of subject.
`threat.indicator.x509.subject.organizational_unit`	keyword	Extended	List of organizational units (OU) of subject.
`threat.indicator.x509.subject.state_or_province`	keyword	Extended	List of state or province names (ST, S, or P)
`threat.indicator.x509.version_number`	keyword	Extended	Version of x509 format.
`threat.software.alias`	keyword	Extended	Alias of the software
`threat.software.id`	keyword	Extended	ID of the software
`threat.software.name`	keyword	Extended	Name of the software.
`threat.software.platforms`	keyword	Extended	Platforms of the software.
`threat.software.reference`	keyword	Extended	Software reference URL.
`threat.software.type`	keyword	Extended	Software type.
`threat.tactic.id`	keyword	Extended	Threat tactic id.
`threat.tactic.name`	keyword	Extended	Threat tactic.
`threat.tactic.reference`	keyword	Extended	Threat tactic URL reference.
`threat.technique.id`	keyword	Extended	Threat technique id.
`threat.technique.name`	keyword	Extended	Threat technique name.
`threat.technique.name.text`	match_only_text	Extended	Threat technique name.
`threat.technique.reference`	keyword	Extended	Threat technique URL reference.
`threat.technique.subtechnique.id`	keyword	Extended	Threat subtechnique id.
`threat.technique.subtechnique.name`	keyword	Extended	Threat subtechnique name.
`threat.technique.subtechnique.name.text`	match_only_text	Extended	Threat subtechnique name.
`threat.technique.subtechnique.reference`	keyword	Extended	Threat subtechnique URL reference.

`threat.enrichments.indicator.file.created`

Type: date

Level: Extended

Description: File creation time.

Indexed: true

Type: date

Level: Extended

Description: Build or compile date.

Indexed: true

`threat.enrichments.indicator.file.elf.exports`

Type: flattened

`threat.enrichments.indicator.file.elf.sections`

Type: nested

Type: nested

Level: Extended

Description: ELF object segment list.

Normalization: array

Indexed: true

`threat.enrichments.indicator.file.elf.segments.sections`

Type: keyword

Level: Extended

Description: ELF object segment sections.

Indexed: true

`threat.enrichments.indicator.file.elf.segments.type`

Type: keyword

Level: Extended

Description: ELF object segment type.

Indexed: true

`threat.enrichments.indicator.file.elf.shared_libraries`

Type: keyword

Level: Extended

Description: List of shared libraries used by this ELF object.

Normalization: array

Indexed: true

`threat.enrichments.indicator.file.mime_type`

Type: keyword

Level: Extended

Description: Media type of file, document, or arrangement of bytes.

Indexed: true

`threat.enrichments.indicator.file.mode`

Type: keyword

Level: Extended

Description: Mode of the file in octal representation.

Example: 0640

Indexed: true

Type: keyword

Level: Extended

Description: Target path for symlinks.

Indexed: true

Type: keyword

Level: Extended

Description: List of subject alternative names (SAN).

Example: *.elastic.co

Normalization: array

Indexed: true

`threat.enrichments.indicator.file.x509.issuer.common_name`

Type: keyword

Level: Extended

Description: List of common name (CN) of issuing certificate authority.

Example: Example SHA2 High Assurance Server CA

Normalization: array

Indexed: true

`threat.enrichments.indicator.file.x509.issuer.country`

Type: keyword

Level: Extended

Description: List of country (C) codes

Example: US

Normalization: array

Indexed: true

`threat.enrichments.indicator.file.x509.subject.country`

Type: keyword

Level: Extended

Description: List of country (C) code

Example: US

Normalization: array

Indexed: true

Type: keyword

Level: Extended

Description: List of organizational units (OU) of subject.

Normalization: array

Indexed: true

`threat.enrichments.indicator.file.x509.subject.state_or_province`

Type: keyword

Type: wildcard

Type: keyword

Level: Extended

Description: File extension from the request url, excluding the leading dot.

Example: png

Indexed: true

Type: keyword

Level: Extended

Description: Password of the request.

Indexed: true

`threat.enrichments.indicator.url.path`

Type: wildcard

Level: Extended

Description: Path of the request, such as "/search".

Indexed: true

`threat.enrichments.indicator.url.port`

Type: long

Level: Extended

Description: Port of the request, such as 443.

Example: 443

Indexed: true

Type: keyword

Level: Extended

Description: Username of the request.

Indexed: true

`threat.enrichments.indicator.x509.alternative_names`

Type: keyword

Level: Extended

Description: List of subject alternative names (SAN).

Example: *.elastic.co

Normalization: array

Indexed: true

`threat.enrichments.indicator.x509.issuer.common_name`

Type: keyword

Level: Extended

Description: List of common name (CN) of issuing certificate authority.

Example: Example SHA2 High Assurance Server CA

Normalization: array

Indexed: true

`threat.enrichments.indicator.x509.issuer.country`

Type: keyword

Level: Extended

Description: List of country (C) codes

Example: US

Normalization: array

Indexed: true

`threat.enrichments.indicator.x509.subject.country`

Type: keyword

Level: Extended

Description: List of country (C) code

Example: US

Normalization: array

Indexed: true

Type: keyword

Level: Extended

Description: List of organizational units (OU) of subject.

Normalization: array

Indexed: true

`threat.enrichments.indicator.x509.subject.state_or_province`

Type: keyword

Type: keyword

Type: date

Level: Extended

Description: Last time the file was accessed.

Indexed: true

`threat.indicator.file.attributes`

Type: keyword

Type: date

Level: Extended

Description: File creation time.

Indexed: true

Type: date

Level: Extended

Description: Build or compile date.

Indexed: true

`threat.indicator.file.elf.exports`

Type: flattened

`threat.indicator.file.elf.sections`

Type: nested

Type: nested

Level: Extended

Description: ELF object segment list.

Normalization: array

Indexed: true

`threat.indicator.file.elf.segments.sections`

Type: keyword

Level: Extended

Description: ELF object segment sections.

Indexed: true

`threat.indicator.file.elf.segments.type`

Type: keyword

Level: Extended

Description: ELF object segment type.

Indexed: true

`threat.indicator.file.elf.shared_libraries`

Type: keyword

Level: Extended

Description: List of shared libraries used by this ELF object.

Normalization: array

Indexed: true

`threat.indicator.file.mime_type`

Type: keyword

Level: Extended

Description: Media type of file, document, or arrangement of bytes.

Indexed: true

`threat.indicator.file.mode`

Type: keyword

Level: Extended

Description: Mode of the file in octal representation.

Example: 0640

Indexed: true

Type: keyword

Level: Extended

Description: Target path for symlinks.

Indexed: true

Type: keyword

Level: Extended

Description: List of subject alternative names (SAN).

Example: *.elastic.co

Normalization: array

Indexed: true

`threat.indicator.file.x509.issuer.common_name`

Type: keyword

Level: Extended

Description: List of common name (CN) of issuing certificate authority.

Example: Example SHA2 High Assurance Server CA

Normalization: array

Indexed: true

`threat.indicator.file.x509.issuer.country`

Type: keyword

Level: Extended

Description: List of country (C) codes

Example: US

Normalization: array

Indexed: true

`threat.indicator.file.x509.subject.country`

Type: keyword

Level: Extended

Description: List of country (C) code

Example: US

Normalization: array

Indexed: true

Type: keyword

Level: Extended

Description: List of organizational units (OU) of subject.

Normalization: array

Indexed: true

`threat.indicator.file.x509.subject.state_or_province`

Type: keyword

Type: wildcard

Type: keyword

Level: Extended

Description: File extension from the request url, excluding the leading dot.

Example: png

Indexed: true

Type: keyword

Level: Extended

Description: Password of the request.

Indexed: true

`threat.indicator.url.path`

Type: wildcard

Level: Extended

Description: Path of the request, such as "/search".

Indexed: true

`threat.indicator.url.port`

Type: long

Level: Extended

Description: Port of the request, such as 443.

Example: 443

Indexed: true

Type: keyword

Level: Extended

Description: Username of the request.

Indexed: true

`threat.indicator.x509.alternative_names`

Type: keyword

Level: Extended

Description: List of subject alternative names (SAN).

Example: *.elastic.co

Normalization: array

Indexed: true

`threat.indicator.x509.issuer.common_name`

Type: keyword

Level: Extended

Description: List of common name (CN) of issuing certificate authority.

Example: Example SHA2 High Assurance Server CA

Normalization: array

Indexed: true

`threat.indicator.x509.issuer.country`

Type: keyword

Level: Extended

Description: List of country (C) codes

Example: US

Normalization: array

Indexed: true

`threat.indicator.x509.subject.country`

Type: keyword

Level: Extended

Description: List of country (C) code

Example: US

Normalization: array

Indexed: true

Type: keyword

Level: Extended

Description: List of organizational units (OU) of subject.

Normalization: array

Indexed: true

`threat.indicator.x509.subject.state_or_province`

Type: keyword

Level: Extended

Description: List of state or province names (ST, S, or P)

Example: California

Normalization: array

Indexed: true

`threat.indicator.x509.version_number`

Type: keyword

Level: Extended

Description: Version of x509 format.

Example: 3

Indexed: true

`threat.software.alias`

Type: keyword

Level: Extended

Description: Alias of the software

Example: [ "X-Agent" ]

Normalization: array

Indexed: true

`threat.software.id`

Type: keyword

Level: Extended

Description: ID of the software

Example: S0552

Indexed: true

`threat.software.name`

Type: keyword

Level: Extended

Description: Name of the software.

Example: AdFind

Indexed: true

`threat.software.platforms`

Type: keyword

Level: Extended

Description: Platforms of the software.

Example: [ "Windows" ]

Normalization: array

Indexed: true

`threat.software.reference`

Type: keyword

Level: Extended

Description: Software reference URL.

Example: https://attack.mitre.org/software/S0552/

Indexed: true

Type: match_only_text

Level: Extended

Description: Threat technique name.

Example: Command and Scripting Interpreter

Indexed: true

`threat.technique.reference`

Type: keyword

Level: Extended

Description: Threat technique URL reference.

Example: https://attack.mitre.org/techniques/T1059/

Normalization: array

Indexed: true

`threat.technique.subtechnique.id`

Type: keyword

Level: Extended

Description: Threat subtechnique id.

Example: T1059.001

Normalization: array

Indexed: true

`threat.technique.subtechnique.name`

Type: keyword

Level: Extended

Description: Threat subtechnique name.

Example: PowerShell

Normalization: array

Indexed: true

`threat.technique.subtechnique.name.text`

Type: match_only_text

Level: Extended

Description: Threat subtechnique name.

Example: PowerShell

Indexed: true

`threat.technique.subtechnique.reference`

Type: keyword

Level: Extended

Description: Threat subtechnique URL reference.

Example: https://attack.mitre.org/techniques/T1059/001/

Normalization: array

Indexed: true

Span TLS