Host
Fields describing the relevant computing instance.
Fields
Field Summary
| Field | Type | Level | Description |
|---|---|---|---|
host.architecture | keyword | Core | Operating system architecture. |
host.boot.id | keyword | Extended | Linux boot uuid taken from /proc/sys/kernel/random/boot_id |
host.cpu.usage | scaled_float | Extended | Percent CPU used, between 0 and 1. |
host.disk.read.bytes | long | Extended | The number of bytes read by all disks. |
host.disk.write.bytes | long | Extended | The number of bytes written on all disks. |
host.domain | keyword | Extended | Name of the directory the group is a member of. |
host.geo.city_name | keyword | Core | City name. |
host.geo.continent_code | keyword | Core | Continent code. |
host.geo.continent_name | keyword | Core | Name of the continent. |
host.geo.country_iso_code | keyword | Core | Country ISO code. |
host.geo.country_name | keyword | Core | Country name. |
host.geo.location | geo_point | Core | Longitude and latitude. |
host.geo.name | keyword | Extended | User-defined description of a location. |
host.geo.postal_code | keyword | Core | Postal code. |
host.geo.region_iso_code | keyword | Core | Region ISO code. |
host.geo.region_name | keyword | Core | Region name. |
host.geo.timezone | keyword | Core | Time zone. |
host.hostname | keyword | Core | Hostname of the host. |
host.id | keyword | Core | Unique host id. |
host.ip | ip | Core | Host ip addresses. |
host.mac | keyword | Core | Host MAC addresses. |
host.name | keyword | Core | Name of the host. |
host.network.egress.bytes | long | Extended | The number of bytes sent on all network interfaces. |
host.network.egress.packets | long | Extended | The number of packets sent on all network interfaces. |
host.network.ingress.bytes | long | Extended | The number of bytes received on all network interfaces. |
host.network.ingress.packets | long | Extended | The number of packets received on all network interfaces. |
host.os.family | keyword | Extended | OS family (such as redhat, debian, freebsd, windows). |
host.os.full | keyword | Extended | Operating system name, including the version or code name. |
host.os.full.text | match_only_text | Extended | Operating system name, including the version or code name. |
host.os.kernel | keyword | Extended | Operating system kernel version as a raw string. |
host.os.name | keyword | Extended | Operating system name, without the version. |
host.os.name.text | match_only_text | Extended | Operating system name, without the version. |
host.os.platform | keyword | Extended | Operating system platform (such centos, ubuntu, windows). |
host.os.type | keyword | Extended | Which commercial OS family (one of: linux, macos, unix, windows, ios or android). |
host.os.version | keyword | Extended | Operating system version as a raw string. |
host.pid_ns_ino | keyword | Extended | Pid namespace inode |
host.risk.calculated_level | keyword | Extended | A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. |
host.risk.calculated_score | float | Extended | A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. |
host.risk.calculated_score_norm | float | Extended | A normalized risk score calculated by an internal system. |
host.risk.static_level | keyword | Extended | A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. |
host.risk.static_score | float | Extended | A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. |
host.risk.static_score_norm | float | Extended | A normalized risk score calculated by an external system. |
host.type | keyword | Core | Type of host. |
host.uptime | long | Extended | Seconds the host has been up. |
Field Details
host.architecture
Type: keyword
Level: Core
Description: Operating system architecture.
Example: x86_64
Indexed: true
host.boot.id
Type: keyword
Level: Extended
Description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id
Example: 88a1f0ed-5ae5-41ee-af6b-41921c311872
Indexed: true
host.cpu.usage
Type: scaled_float
Level: Extended
Description: Percent CPU used, between 0 and 1.
Indexed: true
host.disk.read.bytes
Type: long
Level: Extended
Description: The number of bytes read by all disks.
Indexed: true
host.disk.write.bytes
Type: long
Level: Extended
Description: The number of bytes written on all disks.
Indexed: true
host.domain
Type: keyword
Level: Extended
Description: Name of the directory the group is a member of.
Example: CONTOSO
Indexed: true
host.geo.city_name
Type: keyword
Level: Core
Description: City name.
Example: Montreal
Indexed: true
host.geo.continent_code
Type: keyword
Level: Core
Description: Continent code.
Example: NA
Indexed: true
host.geo.continent_name
Type: keyword
Level: Core
Description: Name of the continent.
Example: North America
Indexed: true
host.geo.country_iso_code
Type: keyword
Level: Core
Description: Country ISO code.
Example: CA
Indexed: true
host.geo.country_name
Type: keyword
Level: Core
Description: Country name.
Example: Canada
Indexed: true
host.geo.location
Type: geo_point
Level: Core
Description: Longitude and latitude.
Example: { "lon": -73.614830, "lat": 45.505918 }
Indexed: true
host.geo.name
Type: keyword
Level: Extended
Description: User-defined description of a location.
Example: boston-dc
Indexed: true
host.geo.postal_code
Type: keyword
Level: Core
Description: Postal code.
Example: 94040
Indexed: true
host.geo.region_iso_code
Type: keyword
Level: Core
Description: Region ISO code.
Example: CA-QC
Indexed: true
host.geo.region_name
Type: keyword
Level: Core
Description: Region name.
Example: Quebec
Indexed: true
host.geo.timezone
Type: keyword
Level: Core
Description: Time zone.
Example: America/Argentina/Buenos_Aires
Indexed: true
host.hostname
Type: keyword
Level: Core
Description: Hostname of the host.
Indexed: true
host.id
Type: keyword
Level: Core
Description: Unique host id.
Indexed: true
host.ip
Type: ip
Level: Core
Description: Host ip addresses.
Normalization: array
Indexed: true
host.mac
Type: keyword
Level: Core
Description: Host MAC addresses.
Example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
Normalization: array
Indexed: true
host.name
Type: keyword
Level: Core
Description: Name of the host.
Indexed: true
host.network.egress.bytes
Type: long
Level: Extended
Description: The number of bytes sent on all network interfaces.
Indexed: true
host.network.egress.packets
Type: long
Level: Extended
Description: The number of packets sent on all network interfaces.
Indexed: true
host.network.ingress.bytes
Type: long
Level: Extended
Description: The number of bytes received on all network interfaces.
Indexed: true
host.network.ingress.packets
Type: long
Level: Extended
Description: The number of packets received on all network interfaces.
Indexed: true
host.os.family
Type: keyword
Level: Extended
Description: OS family (such as redhat, debian, freebsd, windows).
Example: debian
Indexed: true
host.os.full
Type: keyword
Level: Extended
Description: Operating system name, including the version or code name.
Example: Mac OS Mojave
Indexed: true
host.os.full.text
Type: match_only_text
Level: Extended
Description: Operating system name, including the version or code name.
Example: Mac OS Mojave
Indexed: true
host.os.kernel
Type: keyword
Level: Extended
Description: Operating system kernel version as a raw string.
Example: 4.4.0-112-generic
Indexed: true
host.os.name
Type: keyword
Level: Extended
Description: Operating system name, without the version.
Example: Mac OS X
Indexed: true
host.os.name.text
Type: match_only_text
Level: Extended
Description: Operating system name, without the version.
Example: Mac OS X
Indexed: true
host.os.platform
Type: keyword
Level: Extended
Description: Operating system platform (such centos, ubuntu, windows).
Example: darwin
Indexed: true
host.os.type
Type: keyword
Level: Extended
Description: Which commercial OS family (one of: linux, macos, unix, windows, ios or android).
Example: macos
Indexed: true
host.os.version
Type: keyword
Level: Extended
Description: Operating system version as a raw string.
Example: 10.14.1
Indexed: true
host.pid_ns_ino
Type: keyword
Level: Extended
Description: Pid namespace inode
Example: 256383
Indexed: true
host.risk.calculated_level
Type: keyword
Level: Extended
Description: A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
Example: High
Indexed: true
host.risk.calculated_score
Type: float
Level: Extended
Description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
Example: 880.73
Indexed: true
host.risk.calculated_score_norm
Type: float
Level: Extended
Description: A normalized risk score calculated by an internal system.
Example: 88.73
Indexed: true
host.risk.static_level
Type: keyword
Level: Extended
Description: A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.
Example: High
Indexed: true
host.risk.static_score
Type: float
Level: Extended
Description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.
Example: 830.0
Indexed: true
host.risk.static_score_norm
Type: float
Level: Extended
Description: A normalized risk score calculated by an external system.
Example: 83.0
Indexed: true
host.type
Type: keyword
Level: Core
Description: Type of host.
Indexed: true
host.uptime
Type: long
Level: Extended
Description: Seconds the host has been up.
Example: 1325
Indexed: true