--- name: main fields: base: fields: "*" agent: fields: "*" as: fields: "*" client: fields: address: {} as: fields: "*" bytes: {} domain: {} geo: fields: "*" ip: {} mac: {} nat: fields: ip: {} port: {} packets: {} port: {} subdomain: {} registered_domain: {} top_level_domain: {} user: fields: domain: {} email: {} full_name: {} group: fields: "*" hash: {} id: {} name: {} roles: {} cloud: fields: "*" code_signature: fields: "*" container: fields: "*" data_stream: fields: "*" destination: fields: address: {} as: fields: "*" bytes: {} domain: {} geo: fields: "*" ip: {} mac: {} nat: fields: ip: {} port: {} packets: {} port: {} subdomain: {} registered_domain: {} top_level_domain: {} user: fields: domain: {} email: {} full_name: {} group: fields: "*" hash: {} id: {} name: {} roles: {} device: fields: "*" dll: fields: "*" dns: fields: "*" ecs: fields: "*" elf: fields: "*" email: fields: "*" error: fields: "*" event: fields: "*" faas: fields: "*" file: fields: "*" geo: fields: "*" group: fields: "*" hash: fields: "*" host: fields: "*" http: fields: "*" interface: fields: "*" log: fields: "*" macho: fields: "*" network: fields: "*" observer: fields: "*" orchestrator: fields: "*" organization: fields: "*" os: fields: "*" package: fields: "*" pe: fields: "*" process: fields: args: {} args_count: {} code_signature: fields: "*" command_line: {} elf: fields: "*" end: {} entity_id: {} entry_leader: fields: args: {} args_count: {} command_line: {} entity_id: {} entry_meta: fields: type: {} source: fields: ip: {} executable: {} interactive: {} name: {} parent: fields: entity_id: {} pid: {} start: {} session_leader: fields: entity_id: {} pid: {} start: {} pid: {} same_as_process: {} start: {} tty: fields: char_device: fields: major: {} minor: {} working_directory: {} user: fields: id: {} name: {} real_user: fields: id: {} name: {} saved_user: fields: id: {} name: {} group: fields: id: {} name: {} real_group: fields: id: {} name: {} saved_group: fields: id: {} name: {} supplemental_groups: fields: id: {} name: {} attested_user: fields: id: {} name: {} attested_groups: fields: name: {} entry_meta: fields: type: docs_only: True env_vars: {} executable: {} exit_code: {} group_leader: fields: args: {} args_count: {} command_line: {} entity_id: {} executable: {} interactive: {} name: {} pid: {} same_as_process: {} start: {} tty: fields: char_device: fields: major: {} minor: {} working_directory: {} user: fields: id: {} name: {} real_user: fields: id: {} name: {} saved_user: fields: id: {} name: {} group: fields: id: {} name: {} real_group: fields: id: {} name: {} saved_group: fields: id: {} name: {} supplemental_groups: fields: id: {} name: {} hash: fields: "*" interactive: {} io: fields: "*" macho: fields: "*" name: {} parent: fields: args: {} args_count: {} code_signature: fields: "*" command_line: {} elf: fields: "*" end: {} entity_id: {} executable: {} exit_code: {} group_leader: fields: entity_id: {} pid: {} start: {} hash: fields: "*" interactive: {} macho: fields: "*" name: {} pe: fields: "*" pgid: {} pid: {} start: {} thread: fields: id: {} name: {} title: {} tty: fields: char_device: fields: major: {} minor: {} uptime: {} working_directory: {} user: fields: id: {} name: {} real_user: fields: id: {} name: {} saved_user: fields: id: {} name: {} group: fields: id: {} name: {} real_group: fields: id: {} name: {} saved_group: fields: id: {} name: {} supplemental_groups: fields: id: {} name: {} pe: fields: "*" pgid: {} pid: {} previous: fields: args: {} args_count: {} executable: {} real_group: fields: id: {} name: {} real_user: fields: id: {} name: {} same_as_process: docs_only: True saved_group: fields: id: {} name: {} saved_user: fields: id: {} name: {} start: {} supplemental_groups: fields: id: {} name: {} session_leader: fields: args: {} args_count: {} command_line: {} entity_id: {} executable: {} interactive: {} name: {} pid: {} same_as_process: {} start: {} tty: fields: char_device: fields: major: {} minor: {} working_directory: {} parent: fields: entity_id: {} pid: {} start: {} session_leader: fields: entity_id: {} pid: {} start: {} user: fields: id: {} name: {} real_user: fields: id: {} name: {} saved_user: fields: id: {} name: {} group: fields: id: {} name: {} real_group: fields: id: {} name: {} saved_group: fields: id: {} name: {} supplemental_groups: fields: id: {} name: {} thread: fields: id: {} name: {} title: {} tty: fields: "*" uptime: {} user: fields: id: {} name: {} working_directory: {} registry: fields: "*" related: fields: "*" risk: fields: "*" rule: fields: "*" server: fields: address: {} as: fields: "*" bytes: {} domain: {} geo: fields: "*" ip: {} mac: {} nat: fields: ip: {} port: {} packets: {} port: {} subdomain: {} registered_domain: {} top_level_domain: {} user: fields: domain: {} email: {} full_name: {} group: fields: "*" hash: {} id: {} name: {} roles: {} service: fields: "*" source: fields: address: {} as: fields: "*" bytes: {} domain: {} geo: fields: "*" ip: {} mac: {} nat: fields: ip: {} port: {} packets: {} port: {} subdomain: {} registered_domain: {} top_level_domain: {} user: fields: domain: {} email: {} full_name: {} group: fields: "*" hash: {} id: {} name: {} roles: {} threat: fields: "*" tls: fields: "*" tracing: fields: "*" url: fields: "*" user_agent: fields: "*" user: fields: changes: fields: domain: {} email: {} group: fields: "*" full_name: {} hash: {} id: {} name: {} roles: {} domain: {} effective: fields: domain: {} email: {} group: fields: "*" full_name: {} hash: {} id: {} name: {} roles: {} email: {} group: fields: "*" full_name: {} hash: {} id: {} name: {} risk: fields: "*" roles: {} target: fields: domain: {} email: {} group: fields: "*" full_name: {} hash: {} id: {} name: {} roles: {} vlan: fields: "*" vulnerability: fields: "*" x509: fields: "*"