---
name: main
fields:
base:
fields: "*"
agent:
fields: "*"
as:
fields: "*"
client:
fields:
address: {}
as:
fields: "*"
bytes: {}
domain: {}
geo:
fields: "*"
ip: {}
mac: {}
nat:
fields:
ip: {}
port: {}
packets: {}
port: {}
subdomain: {}
registered_domain: {}
top_level_domain: {}
user:
fields:
domain: {}
email: {}
full_name: {}
group:
fields: "*"
hash: {}
id: {}
name: {}
roles: {}
cloud:
fields: "*"
code_signature:
fields: "*"
container:
fields: "*"
data_stream:
fields: "*"
destination:
fields:
address: {}
as:
fields: "*"
bytes: {}
domain: {}
geo:
fields: "*"
ip: {}
mac: {}
nat:
fields:
ip: {}
port: {}
packets: {}
port: {}
subdomain: {}
registered_domain: {}
top_level_domain: {}
user:
fields:
domain: {}
email: {}
full_name: {}
group:
fields: "*"
hash: {}
id: {}
name: {}
roles: {}
device:
fields: "*"
dll:
fields: "*"
dns:
fields: "*"
ecs:
fields: "*"
elf:
fields: "*"
email:
fields: "*"
error:
fields: "*"
event:
fields: "*"
faas:
fields: "*"
file:
fields: "*"
geo:
fields: "*"
group:
fields: "*"
hash:
fields: "*"
host:
fields: "*"
http:
fields: "*"
interface:
fields: "*"
log:
fields: "*"
macho:
fields: "*"
network:
fields: "*"
observer:
fields: "*"
orchestrator:
fields: "*"
organization:
fields: "*"
os:
fields: "*"
package:
fields: "*"
pe:
fields: "*"
process:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
start: {}
pid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
attested_user:
fields:
id: {}
name: {}
attested_groups:
fields:
name: {}
entry_meta:
fields:
type:
docs_only: True
env_vars: {}
executable: {}
exit_code: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
hash:
fields: "*"
interactive: {}
io:
fields: "*"
macho:
fields: "*"
name: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields: "*"
command_line: {}
elf:
fields: "*"
end: {}
entity_id: {}
executable: {}
exit_code: {}
group_leader:
fields:
entity_id: {}
pid: {}
start: {}
hash:
fields: "*"
interactive: {}
macho:
fields: "*"
name: {}
pe:
fields: "*"
pgid: {}
pid: {}
start: {}
thread:
fields:
id: {}
name: {}
title: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
uptime: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
pe:
fields: "*"
pgid: {}
pid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
real_group:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
same_as_process:
docs_only: True
saved_group:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
start: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
thread:
fields:
id: {}
name: {}
title: {}
tty:
fields: "*"
uptime: {}
user:
fields:
id: {}
name: {}
working_directory: {}
registry:
fields: "*"
related:
fields: "*"
risk:
fields: "*"
rule:
fields: "*"
server:
fields:
address: {}
as:
fields: "*"
bytes: {}
domain: {}
geo:
fields: "*"
ip: {}
mac: {}
nat:
fields:
ip: {}
port: {}
packets: {}
port: {}
subdomain: {}
registered_domain: {}
top_level_domain: {}
user:
fields:
domain: {}
email: {}
full_name: {}
group:
fields: "*"
hash: {}
id: {}
name: {}
roles: {}
service:
fields: "*"
source:
fields:
address: {}
as:
fields: "*"
bytes: {}
domain: {}
geo:
fields: "*"
ip: {}
mac: {}
nat:
fields:
ip: {}
port: {}
packets: {}
port: {}
subdomain: {}
registered_domain: {}
top_level_domain: {}
user:
fields:
domain: {}
email: {}
full_name: {}
group:
fields: "*"
hash: {}
id: {}
name: {}
roles: {}
threat:
fields: "*"
tls:
fields: "*"
tracing:
fields: "*"
url:
fields: "*"
user_agent:
fields: "*"
user:
fields:
changes:
fields:
domain: {}
email: {}
group:
fields: "*"
full_name: {}
hash: {}
id: {}
name: {}
roles: {}
domain: {}
effective:
fields:
domain: {}
email: {}
group:
fields: "*"
full_name: {}
hash: {}
id: {}
name: {}
roles: {}
email: {}
group:
fields: "*"
full_name: {}
hash: {}
id: {}
name: {}
risk:
fields: "*"
roles: {}
target:
fields:
domain: {}
email: {}
group:
fields: "*"
full_name: {}
hash: {}
id: {}
name: {}
roles: {}
vlan:
fields: "*"
vulnerability:
fields: "*"
x509:
fields: "*"